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[  FROM  THE  EDITOR  ] 


From  Risk  to 
Reward 

December  is  prediction  month.  You’ll 
be  bombarded  with  a  million  “Security 
predictions  for  2009”  articles  online, 
sure  as  death  and  taxes. 

Those  are  fun  and  interesting.  We  do  them 
too.  But  for  this  issue  we  wanted  to  provide 
something  else.  With  all  the  change  currently 
roiling  the  security  industry  and  the  world- 
economic  turmoil,  technologic  progress  and 
more-we  wanted  to  try  to  project  how  your 
job,  your  industry,  your  operating  environment 
might  be  shaped  in  the  longer  view.  Simplest 
way  to  get  at  the  answers:  Ask  a  bunch  of 
experts  what’s  happening  in  their  areas  of 
expertise  and  then  try  to  connect  the  dots. 

Like  looking  at  a  pointillist  painting. 

We  went  into  this  without  any  particular 
preconceptions,  but  to  my  surprise  the  big 
picture  that  emerged  is  one  I’ve  already  writ¬ 
ten  about  in  this  space,  in  a  column  last  April 
called  “The  Age  of  Analytics.” 

Here’s  the  trajectory  of  security  that  I 
anticipate  over  the  next  couple  of  years: 

1.  Currently  we’re  wiring  up  security 
systems  of  all  sorts  (physical  and  digital)  to 
interconnect  and  to  produce  a  ton  of  data. 

2.  Next  we  will  apply  increasingly  powerful 
and  intelligent  analytics  to  all  that  data.  This 
will  improve  our  decision  making  about  risk. 

3.  Then  as  those  analytics  become  better 
and  better,  the  security  data  will  turn  into  true 
business  intelligence.  We’ll  be  better  able  to 
balance  the  risk  focus  with  an  equal  focus  on 
reward. 

The  “analytics”  in  this  equation  include 
both  technical  algorithms  and  programs  such 
as  nascent  video  content  analysis  tools  and  log 
file  management  software,  and  also  the  slowly 
maturing  security  metrics  methodologies  such 
as  ROSI,  ALE,  NPV  and  so  forth.  Neither  of 
these  areas  has  reached  its  end  state  by  any 
means. 


The  “reward”  aspect  of  this  equation 
includes  information  about  the  behavior  of 
customers  and  business  partners,  as  well  as 
the  potential  payback  for  moving  into  markets 
or  geographies  that  present  different  or 
unusual  types  of  operational  risk. 

As  the  data  capture  improves,  and  the 
analytics  improve,  the  intelligence  about 
reward  improves  as  well.  And  that  is  going  to 
represent  a  real,  fundamental  shift  in  the  role 
security  plays  in  business. 

This  isn’t  a  new  idea,  but  the  process  of 
assembling  this  issue  of  the  magazine  has  clar¬ 
ified  the  path  forward  to  a  high  degree  in  my 
mind.  All  the  interviews  presented  here  (and 
there  are  others  online  where  space  is  more 
or  less  unlimited)  provide  pieces  of  the  puzzle, 
but  if  you’re  looking  for  a  CliffsNotes  version  I 


would  point  you  toward  Jeff  Spivey  (Page  26), 
Marcus  Ranum  (Page  27),  Dilip  Sarangan  (Page 
34)  and  Nuala  O’Connor  Kelly  (Page  35). 

So  that’s  what  I  think  happens  next.  What 
do  you  think? 

-Derek  Slater,  dslater@cxo.com 
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[  FROM  THE  PUBLISHER  ] 


10  Wishes 
for  2009 

As  I  look  forward  into  2009,  the  world  is 
going  through  many  changes.  With  the 
financial  markets  in  turmoil  and  a  new 
administration  coming  into  Washington, 
it’s  a  good  time  to  step  back  and  think  about 
what  I  really  wish  to  happen  in  2009. 

1. 1  wish  that  the  U.S.  Department  of 
Homeland  Security  (DHS)  becomes  a  far  less 
dysfunctional  institution.  Watching  the  evolu¬ 
tion  of  DHS  following  the  tragic  events  of  9/11 
has  been  an  excruciating  process.  DHS  must 
break  out  of  its  bureaucratic  and  political 
quagmire,  tear  down  the  fiefdoms  that  still 
linger  from  before  its  founding  and  work  to 
address  the  real  risks  we  are  facing  here  at 
home. 

2.  To  that  end,  I  also  wish  that  Public 
Relations  101  would  be  a  required  college 
course  to  become  a  security  executive.  Some 
CSOs  are  so  bad  at  managing  spin  that  they 
often  undermine  their  own  efforts  by  failing  to 
understand  how  their  actions  will  be  perceived 
by  others.  Sometimes  it’s  best  to  use  a  feather 
as  opposed  to  a  club. 

3. 1  wish  that  federal  legislators  would 
get  their  collective  acts  together  and  pass  a 
federal  breach  notification  law  that  would 
preempt  all  the  state  breach  laws  that  cur¬ 
rently  are  torturing  businesses  across  America. 
I  know,  I  don’t  ask  for  much.  Read  on. 

4. 1  wish  that  McGruff  the  Crime  Dog  and 
his  buddies  in  law  enforcement  would  find  a 
way  to  take  a  bite  out  of  eCrime.  It  seems  that 
the  bad  guys  have,  for  the  most  part,  figured 
out  how  to  stay  off  the  radar  (or  at  least  off  the 
to-do  list)  of  most  law  enforcement. 

5. 1  wish  that,  for  many  organizations,  the 
practice  of  security  would  become  less  about 
CYA  (cover  your  anterior)  and  more  about  MBR 
(manage  business  risk). 

6. 1  wish  that  America  would  understand 
there  is  a  reason  we  have  not  suffered  a  seri¬ 


ous  terrorist  attack  on  our  territory  since  2001. 
It  was  Thomas  Jefferson  who  said,  “The  price 
of  freedom  is  eternal  vigilance.”  What  was  true 
in  the  18th  century  remains  true  today  and  we 
owe  thanks  to  those  who  have  kept  us  safe  and 
free  these  past  seven  years. 

7. 1  wish  we  would  finally  get  ahead  of  the 
criminals  who  spend  their  days  figuring  out 
how  to  steal  our  money  and  mess  with  our 
systems.  I’m  not  convinced  we  will  succeed  but 
we  need  to  try  harder  at  all  levels. 

8. 1  wish  that  our  schools  and  universities 
would  start  to  take  security  far  more  seriously 
than  many  do.  I  have  observed  this  issue  very 
closely  for  the  past  several  years  and  it  scares 
me  to  see  what  happens  when  politics  (and 
political  correctness)  is  injected  into  this  issue 
(see  wish  number  five.) 


9. 1  wish  that  business  leaders  would 
understand  that  legislators  and  regulators  are 
less  likely  to  step  in  and  impose  theirwill  upon 
us  if  we  are  proactive  in  addressing  security. 
It’s  when  we  do  nothing,  or  give  lip  service 
instead,  that  they  are  likely  to  take  action. 

10.  Finally,  I  wish  we  would  all  understand 
that  good  security  is  a  journey  and  will  never 
be  a  destination. 

-Bob  Bragdon,  bbragdon@cxo.com 
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BLOG  POST 

The  Value  of 
Certifications 

Jeff  Bardin  on  dealing  with  HR 
and  finance  objections  to  the 
cost  of  staff  certifications 


R  and  finance  are  question¬ 
ing  you  on  the  latest  request 
for  staff  certifications.  From 
the  CISSP,  ISSMP,  ISSAP, 
ISSEP  to  the  CISM  and 


CISA  examinations,  the  costs  are  mounting. 
The  VP  of  HR  wants  explanations  of  these 
certifications  and  an  idea  of  the  benefits  of 
these  certs  to  your  company.  How  would 
they  differ  from  the  technical  certifications 
we  have  long  supported  like  an  MCSE  or 
the  CCNA?  The  CFO  wants  to  understand 
why  he  should  be  spending  $3K  to  get  some¬ 
one  certified.  What  should  your  answer  be? 
This  is  what  you  tell  them: 

As  in  any  profession,  a  level  of  compe¬ 
tency  is  required.  Information  Assurance 
(IA)  is  no  different.  Certifications  are  quite 
common  in  industries  such  as  aviation, 
architecture,  accounting,  nursing,  law  and 
teaching  noninclusively.  Developments  in 
regulations,  statutes  and  standards  place 
great  strain  on  our  ability  to  secure  IT 
environments.  The  Payment  Card  Indus¬ 
try  standard  has  over  206  control  require¬ 
ments.  This  is  placing  a  great  demand  for 
highly  skilled  workers  in  the  IA  industry 
that  covers  both  commercial  and  govern¬ 
ment  entities.  The  Department  of  Defense 
(DoD)  issued  directive  8570.1M  that  requires 
IA  technicians,  managers  and  members  of 
IA  specialties  to  be  trained  and  certified  to 


a  DoD  baseline  requirement. 

Standards  such  as  Cobit,  supported  by 
the  CISA  certification  used  in  IT  auditing, 
uses  over  320  different  controls.  ISO27001/2, 
the  international  security  standard,  covers 
11  security  domains  including  133  control 
requirements.  The  CISSP  certification  cov¬ 
ers  10  security  domains  and  requires  at  least 
five  years  of  information  security  experi¬ 
ence  in  order  to  receive  the  actual  certifi¬ 
cation.  That  does  not  include  the  up  to  five 
hours  it  takes  to  complete  the  exam  for  cer¬ 
tification.  The  CISSP  certification  is  largely 
technical  in  nature  and  the  first  of  its  kind 
in  the  industry.  The  industry  has  changed 
to  the  point  that  more  specific  skills  are 
required.  ISC2  expanded  their  certifica¬ 
tions  to  include  three  new  programs: 

■  ISSAP-  Information  Systems  Security 
Architecture  Professional  (design) 

■  ISSMP-  Information  Systems  Security 
Management  Professional  (manage) 

■  ISSEP-  Information  Systems  Security 
Engineering  Professional  (build) 


Each  provides  an  in-depth  level  of  com¬ 
petency  required  as  new  requirements  are 
placed  on  the  protection  of  information 
and  information  systems.  Several  of  ISC2’s 
credentials  meet  stringent  requirements  of 
ISO/IEC  Standard  17024:2003.  The  ISO/ 
IEC  standard  17024  is  a  global  benchmark 
for  assessing  and  certifying  personnel. 

The  CISM  certification  requires  five 
years  of  experience,  as  well  three  of  which 
must  be  in  a  security  manager  role.  The 
CISM  is  also  accredited  under  ISO/IEC 
17024:2003. 

People  involved  in  IA  must  be  able  to 
understand  and  systematically  employ  and 
manage  concepts,  principles,  methods,  tech¬ 
niques,  practices  and  procedures  related 
to  each  regulation,  statute  and  standard. 
What  you  are  witnessing  is  the  growth  of 
a  relatively  new  profession  encompassing 
the  scientific,  technical  and  management 
disciplines  required  to  ensure  IA.  These 
certifications: 

■  Establish  a  professional  identity  and 


ON  THE  WEB 


Award  Nominations  Open 


Nominations  are  now  open  for  the  2009 
CSO  Compass  Awards  (for  outstanding 
security  leadership  and  contributions  to  the 
field)  and  the  2009  NEXT  Awards  (for 
up-and-comers  in  security). 


n 

CSO 

Compass 

Award 


Compass  Awards:  http://public.cxo.com/awards/ 

applicationCSOCompass2009.html 

NEXT  Awards:  http://public.cxo.com/awards/ 

applicationCSONext2009.html 
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Of  course  your  employees  wouldn’t 

abuse  their  access  to  sensitive  data. 


Unless  you  left  the  door  open.  Find  out  with  Symark's  free  30  day  trial. 

80%  of  computer  crime  is  an  inside  job.  With  our  free  30  day  trial  of  Symark's  Access  Control  and  Identity  Management 
products,  you'll  be  able  to  identify  and  strengthen  your  security's  weak  points,  manage  access,  and  allocate  privileges. 

You  can  even  track  who's  doing  what,  where  and  when.  And  Symark's  security  products  are  easy  to  deploy  and  provide 
rapid  ROI.  Our  commitment  to  quality  products  and  superior  technical  support  has  made  us  the  leading  vendor  of  security 
administration  solutions  in  heterogeneous  IT  environments  worldwide.  For  more  information,  visit  our  web  site  at 
www.Symark.com/30daytrial.  And  outfox  those  who  would  put  your  company  at  risk. 


Symark's  free  30  day  trial: 

POWErBrokeR' -  Access  Control  &  Accountability 
POWErBaSSWORD’  -  Password  Management  &  User  Provisioning 
POWERK.EEPER'  -  Secure  Control  of  Privileged  Accounts 
POWErADvaNTAGE'  -  UNIX/Linux  to  Active  Directory  Integration 


symark. 

Control  Access.  Control  Risk... 


www.symark.com 

800-234-9072 


>>  DISCUSSION 


uphold  the  quality  of  the  profession; 

■  Establish  a  minimum  level  of  knowl¬ 
edge  with  regard  to  the  practice  of  the 
profession,  and  through  continuous 
learning,  upgrading  of  knowledge  base 
and  skills; 

■  Make  known  a  code  of  ethical  practice; 

■  Provide  a  review  process  and  par¬ 
ticipation  in  published  standards  of 
practice; 

■  Promote  ongoing  studies  for  practitio¬ 
ners  to  validate  their  practice; 

■  Enhance  the  corporate  security  pos¬ 
ture  and  public  standing. 

According  to  a  1998  study  conducted  by 

McKinsey,  the  most  important  corporate 
resource  over  the  next  20  years  will  be  tal¬ 
ent.  Certifying  our  staff  is  but  one  battle  in 
this  war. 

-Jeff  Bardin 

BLOG  POST 

Repackaging 
Cyber  “Ethics” 

Recent  news  headlines  are  full 
of  intriguing  stories  about 
real-life  consequences  to 
virtual  actions  at  home  and 
work.  Our  virtual  world  trav¬ 


els,  combined  with  Web  2.0  interactions, 
are  merging  with  real-life  behaviors  at  the 
office  as  never  before.  Security  profession¬ 
als  had  better  take  notice— now. 

A  Google  search  alert  is  worth  more 
than  a  thousand  words,  so  take  a  look  at  a 
few  of  these  75  recent  articles  that  my  Gmail 
alert  sent  me  regarding  the  link  between  a 
virtual  affair  and  a  real-life  divorce. 

One  of  the  articles,  “Second  Life  Infi¬ 
delity  Is  No  Less  Real,”  said  it  this  way: 
“The  virtual  world  elides  that  distinction 
between  fantasy  and  reality— these  are  fan¬ 
tasy  objects  with  people  attached.” 

My  point  to  this  blog  has  very  little  to  do 
with  adultery  and  quite  a  bit  to  do  with  the 
realities  of  virtual  behavior  now  showing 
up  in  offices  and  homes  around  the  USA. 
I  wrote  an  initial  piece  on  this  topic  almost 
two  years  ago  called,  “Can  Cyber  Ethics 
Training  Work  for  Adults?”  Yet,  the  topic 
has  accelerated  much  faster  than  I  antici¬ 
pated.  The  mainstream  media  is  reporting 
this  story  worldwide,  while  the  technology 
magazines  almost  ignore  the  issue  as  noth¬ 
ing  new,  preferring  to  focus  on  the  impor¬ 
tant  but  oversold  mantra  of  “It’s  the  data, 
stupid.” 

Don’t  get  me  wrong.  As  an  industry,  we 
are  doing  a  terrible  job  of  protecting  data, 
so  I  understand  the  back-to-basics  theme. 
Nevertheless,  reputations,  careers,  families, 
marriages— as  well  as  personal  and  corpo- 
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rate  privacy  and  security— are  at  stake  with 
virtual  behaviors  at  the  office. 

Want  more  evidence?  It  seems  like  some 
new  senior  exec  is  picked  up  each  week 
similar  to  this  story:  “Aide  to  Boxer  Fired 
After  Being  Caught  in  Child  Pornography 
Sting.”  Yes,  these  types  of  headlines  impact 
the  reputation  and  effectiveness  of  your 
company  or  business.  Most  stories  never 
make  the  papers,  but  our  employees  are 
impacted  in  numerous  ways. 

What  can  be  done?  This  may  sound  like 
a  broken  record  from  me,  but  we  need  to 
repackage  cyberethics  with  new  labels.  I 
describe  the  term  “integrity  theft”  in  my 
book,  but  regardless  of  your  position,  we 
need  to  get  the  best  and  brightest  working 
together  to  rethink  cyberethics  for  adults  at 
home  and  work.  -Dan  Lohrmann 
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When  physical  security  and 
IT  work  together,  everybody  wins. 


You  can  leverage  your  respective  strengths  to  deliver  new  levels  of  performance,  gain  greater  returns  on  your 
security  investment  and  reduce  your  total  cost  of  ownership.  And  few  companies  are  more  experienced 
at  bringing  people  together  to  address  security  issues  than  ADT.  In  fact,  we've  been  helping  customers 
use  innovative  solutions  to  address  new  challenges  for  more  than  130  years.  Let  us  help  you  do  the  same. 
After  all,  the  best  way  to  face  new  challenges  is  with  New  Thinking. 

For  more  information  on  our  convergence  capabilities  or  to  learn  about  Secure  World  Expos,  call  T888-228-0274 
or  go  to  ADT.com/convergence. 
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In  this  black  and  white  world  of  infosecurity, 
there's  still  one  company  that's  measured  by  the  intangible: 


o 


60,000  members  worldwide. 

20  years  of  experience  in  information  security. 

6  ANSI/ISO/IEC  Standard  17024  accredited  certifications  programs. 

1  globally  accepted  Code  of  Ethics. 

And  an  uncommon  goal  toward  professionalism,  dedication  and  perseverance. 


Add  integrity  to  your  resume  with  (ISC)2®  certifications. 

www.isc2.org/integrity 
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Edited  by  Bill  Brenner 


The  Myth  of 
Cloud  Computin 


Hoff  isn’t  the  only  one  worrying 
about  virtualization  security.  Joel 
Snyder,  security  expert  and  senior 
partner  at  Opus  One,  says  that  while 
virtualization  can  reduce  costs  in  many 
ways,  “it  has  a  variety  of  implications 
in  disaster  control,  capacity  planning, 
system  management  and  security.” 

Though  many  companies  don’t 
understand  the  precise  workings  of  the 
technology,  many  at  least  acknowl¬ 
edge  that  there’s  a  security  challenge 
to  address. 

Michele  Perry,  CMO  for  security 
vendor  Sourcefire,  maker  of  the  popu¬ 
lar  Snort  open-source  IDS  tool,  says  • 
customers  are  expressing  concern  that 
they  have  no  way  to  proactively  track 
or  identify  new  virtual  systems  within 
their  environments. 

“With  limited  visibility,  organiza¬ 
tions  have  no  way  to  control  VM  Sprawl, 
where  virtual  systems  pop  up  throughout  the 
environment  without  adhering  to  corporate 
IT  or  security  policies,”  Perry  says.  “This  has 
the  potential  of  creating  significant  security 
issues-including  unpatched  machines, 
unauthorized  access  and  use,  and  so  on.” 
Virtualized  systems  also 
raise  the  issue  of  data  retention 
and  privacy  because  a  virtual 
machine  can  be  moved  or  elimi¬ 
nated  at  any  time,  Perry  adds. 
Fortunately  for  those  who 
insist  on  living  in  the  so-called  cloud,  virtual 
security  is  not  a  doomed  concept. 

"Just  because  virtualization  changes  your 
security  environment  doesn’t  mean  that  the 
problems  it  creates  are  insoluble,  or  that  life 
suddenly  got  unimaginably  more  complicated,” 
Snyder  says. 

“Instead,  realize  that  security  in  a  virtual 


server  environment  is  different.  You  may  have 
to  think  differently  and  use  different  tools  to 
achieve  the  same  level  of  security  and  risk 
management  you  have  had  in  the  past.” 

Even  Hoff,  a  vocal  critic  of  virtualization 
security,  is  seeing  traces  of  the  cloud’s  illusive 
silver  lining. 

He  notes  that  the  who’s  who  of  security 
vendors  are  retooling  their  applications  to 
take  advantage  of  VMware’s  VMsafe  APIs. 

Check  Point,  Symantec,  McAfee,  Trend 
Micro  and  others  are  working  on  tighter,  better 
integration. 

Of  course,  security  experts  warn,  all  the 
vendor  activity  in  the  world  won’t  help  a 
company  that  dives  headlong  into  the  cloud 
without  thinking  through  the  risks  first. 

As  long  as  companies  fail  to  grasp  the  nuts 
and  bolts  of  virtualization,  dangers  remain. 

-Bill  Brenner 


Why  the  rapid  spread 
of  virtual  technology  is 
becoming  a  security  risk 


Companies  hungry  for  IT  efficiency  and 
cost  savings  absolutely  love  virtualiza¬ 
tion.  The  idea  of  reducing  racks  of  serv¬ 
ers  into  smaller  and  cheaper  machine 
farms  is  simply  irresistible  in  just  about  every 
enterprise. 

Security  vendors  have  seized  on  this  with 
an  array  of  products  promising  “security  in 
the  cloud.” 

But  the  adopters  often  lack  a  basic  under¬ 
standing  of  what  virtualization  is  about,  and 
that’s  a  problem,  industry  experts  say. 

“When  you  look  at  how  people  think  of 
virtualization  and  what  it  means,  the  definition 
of  virtualization  is  either  very  narrow-it’s 
about  server  consolidation,  virtualizing  your 
applications  and  operating  systems,  and  con¬ 
solidating  everything  down  to  fewer  physi¬ 
cal  boxes,”  says  Chris  Hoff,  chief  security 
architect  for  the  systems  and 
technology  division  at  Unisys 
and  a  former  advisor  on  the  Sky- 
box  Security  customer  advisory 
board.  “Or,  it’s  about  any  number 
of  other  elements-dient-side 
desktops,  storage,  networks,  security.” 

Depending  on  who  you  are  and  where 
you  are,  the  definition  of  what’s  coming  in  the 
virtualization  world  means  a  lot  of  different 
things  to  a  lot  of  different  people,  which  makes 
it  darn  near  impossible  to  build  a  security 
strategy  around  it,  he  says.  (See  related  story 
with  Chris  Hoff,  Page  31). 
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>>  BRIEFING 


PHYSICAL  SECURITY 

How  IT  Helped  Catch  the  Jewelry  Thief 


It  used  to  be  that  after  a  robbery,  the  police 
would  review  a  surveillance  tape  for  clues 
into  who  broke  in,  at  what  time  and  what 
the  bad  guys  looked  like.  Since  the  thieves 
would  be  long  gone  by  the  time  the  tape  was 
reviewed,  there  would  often  be  little  the 
authorities  could  do  about  it. 

But  thanks  to  21st-century  technology,  the 
crooks  are  being  watched  in  real  time  and,  as  a 
result,  getting  caught  a  lot  more  often. 

In  this  Q&A,  Dennis  Thomas,  regional  loss 
prevention  manager  and  certified  field  trainer 
at  Zale,  a  jewelry  chain,  explains  how  the 
retailer’s  IT  operation  is  playing  an  increas¬ 
ingly  important  role  in  the  physical  security 
effort. 

CSO:  How  has  the  art  of  loss  prevention 
changed  in  the  last  decade,  in  terms  of  how 
IT  and  cyberspace  come  into  play? 

Dennis  Thomas:  In  the  last  10  years,  the 
corporation  has  really  come  around  to  the 
understanding  that  criminals  have  embraced 
technology  and  that  the  only  way  to  defeat 
them  is  by  staying  one  step  ahead  from  a 
technological  aspect. 

Give  some  examples  of  how  the  bad  guys 
are  using  technology  against  companies 
like  yours. 


They  use  technology  and  the  Internet  to  con¬ 
duct  countersurveillance  on  the  police  depart¬ 
ments;  they’re  using  Google  Earth  and  they’re 
using  GPS  technology  to  get  from  one  place 
to  the  next.  They’ll  enter  a  retail  corporation’s 
webpage  and  use  the  store  locator  section  to 
get  the  various  addresses,  which  they  plug  in 
to  their  GPS  systems  and  it  allows  them  to  go 
from  location  to  location  to  location. 

Your  organization  seems  to  be  fighting 
back  in  more  of  a  real-time  fashion. 

Keep  in  mind,  in  the  old  days  a  crime  could 
occur  in  a  store  with  the  employees  there  and 
they  wouldn’t  always  notice  what  was  hap¬ 
pening.  With  remote  technology,  our  trained 
operators  at  the  command  center  can  observe 
a  theft  in  progress  and  notify  the  police  in  real 
time  with  important  time-sensitive  details  like 
description,  method  of  operation  and  where 
the  merchandise  is  on  the  person.  The  police 
in  turn  are  a  lot  more  successful  in  making 
an  arrest  than  they  were  five  years  ago.  The 
real  benefit  is  the  increase  in  time  notification. 
Let’s  say  the  operator  doesn’t  immediately 
see  the  theft  as  it’s  happening.  They  can  still 
e-mail  camera  images  to  the  police,  which  is 
still  faster  than  trying  to  pull  video  off  an  old 
VCR  tape. 


Who  are  you  using  as  a  vendor  to  operate 
the  command  center? 

We  own  and  operate  our  own  command  center. 

So  you  built  the  whole  thing  in-house. 

Exactly.  We  worked  with  a  local  vendor  to 
develop  the  technology  and  devised  every¬ 
thing  right  down  to  the  terminology  that  the 
operators  use  to  communicate  with  the  stores. 

How  much  has  this  cut  down  on  the  time  it 
takes,  on  average,  to  either  catch  the  thief 
or  at  least  solve  a  crime? 

I’ll  give  you  two  statistics.  First:  The  corpora¬ 
tion  has  achieved  record  shrink  lows  for  the 
last  seven  consecutive  years.  Second:  a  sig¬ 
nificant  reduction  in  shrink  [lost  merchandise 
or  revenue]  as  a  result  of  burglaries.  You  can 
directly  attribute  that  to  the  technology  we’ve 
put  in  place.  During  the  days  of  the  old  analog 
systems,  there  was  always  that  window  where 
the  thief  could  break  in,  steal  merchandise  and 
be  gone  long  before  the  break-in  would  be  dis¬ 
covered.  There  has  been  a  significant  increase 
in  the  number  of  criminals  apprehended 
because  we  can  get  three  to  five  cruisers  out 
there  immediately,  because  the  police  know  if 
Zale  calls,  we  are  seeing  a  burglary  unfolding 
before  our  eyes.  We  can  verify  to  them  imme¬ 
diately  that  it’s  not  a  false  alarm.  -B.fi. 
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Paul,  ^5,  discovers  he  is 

a ... 

the  greatest  innovation 
in  digital  security. 
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When  Paul  travels  the  world  with  his  electronic  passport,  his  only  worry  should  be  how  to  get  to  the  airport 
on  time.  At  Gemalto,  we  understand  that  protecting  people  like  Paul  in  today's  digital  world  begins  with 
securing  his  identity  and  personal  data.  That's  why  our  digital  security  solutions  such  as  SIM  cards,  tokens, 
e-passports,  banking  cards,  among  others,  are  specifically  designed  for  people  like  Paul  and  also  fit  in  their 
pocket.  This  way  he  can  fully  enjoy  his  digital  life  while  actively  securing  it. 


www.gemalto.com/digitalsecurity 
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CYBERSECURITY 

Anonymous 
Proxy  Servers: 
Necessary 
or  Evil? 

If  there  is  truly  a  gray  zone  in  the  struggle 
between  online  good  and  evil,  anony¬ 
mous  proxy  servers  live  there. 

Organizations  typically  use  proxy 
servers  to  forward  website,  file  and  other 
requests  to  other  servers.  Anonymous  proxy  servers  are 
meant  to  hide  the  identity  of  the  requestor.  Some  security 
experts  say  the  latter  is  only  necessary  if  someone  wants  to 
mask  malicious  activity,  including  Sunil  James,  senior  prod¬ 
uct  manager  at  Amazon  Web  Services  and  formerly  director 
of  vulnerability  research  at  iDefense.  “As  a  security  person, 
my  natural  first  instinct  is  to  ask  why  someone  needs  to  be 
anonymous  if  they  are  doing  something  legitimate,”  he  says. 
“I  just  don’t  see  a  viable  use  for  anonymous  proxy  servers  in 
corporate  environments.” 

Others  say  certain  kinds  of  security  research  and  testing 


THIRD-PARTY 
ANONYMOUS 
PROXIES?  NO!  NO!  NO! 

There  are  a  variety  of  legitimate  rea¬ 
sons  for  security  professionals  to  use 
anonymous  proxy  servers.  But  would 
they  trust  a  third-party  service  that 
lives  on  the  Web? 

Dallas-based  security  practitioner 
Kevin  Nixon’s  three-word  answer:  “No! 

No!  No!” 

Using  a  Web-based  anonymous  proxy 
service  is  about  as  safe  and  useful  as  a 
frontal  lobotomy,  says  Nixon,  a  specialist  in 
data  privacy  and  international  regulatory 
compliance. 

“If  you  need  more  proof,  just  ask 
[Alaska  Gov.  and  former  Republican  VP 
candidate]  Sarah  Palin,  who  had  her  e-mail 
hacked  because"  a  hacker  was  able  to  eas¬ 
ily  access  her  Yahoo  e-mail  account  infor¬ 
mation  via  the  Ctunnel.com  proxy  service. 
Services  like  that  have  lax  user  policies, 
Nixon  says,  adding,  “Why  would  anyone 
hand  over  a  complete  list  of  trusted  TCP/IP 


addresses  to  any  company  that  has  [loose 
policies]  like  Ctunnel?” 

Web-based  anonymizers  like  this  aren’t 
compliant  with  regulations  and  industry 
standards  such  as  FISMA,  FACTA,  HIPAA, 
GLBA  or  SOX,  and  trusting  them  sets  the 
user  up  for  an  experience  like  the  one  Palin 
was  forced  to  endure,  Nixon  says. 

His  concerns  reflect  those  of  others 
CSOs  interviewed  regarding  the  trustwor¬ 
thiness  of  Web-based  anonymous  proxy 
services. 

One  can  never  be  sure  who  is  control¬ 
ling  a  given  proxy  or  how  strict  their  moral 
code  may  be,  which  is  why  George  Johnson, 
CSO  at  the  National  Center  for  Crisis  and 
Continuity  Coordination  (NC4),  would 
never  use  one. 

“Anyone  who  really  cares  about  protect¬ 
ing  what  they  are  doing  should  not  use  a 
random  proxy  as  you  do  not  know  who  is 
controlling  it,”  he  says,  adding  that  those 
who  truly  care  about  the  privacy  of  their 
transactions  must  do  their  homework  and 
understand  what  protections  are  provided 
by  the  service  they  are  thinking  of  using. 

-B.B. 


make  them  a  necessity  and  that  they  are  perfectly  safe  if 
used  responsibly. 

“From  a  security  perspective,  hiding  your  true  location 
behind  a  proxy  definitely  falls  in  the  gray  area  of  Web  brows¬ 
ing,”  says  Ed  Ziots,  a  Rhode  Island-based  network  engineer. 

“I  use  them  to  view  questionable  content  from  semitrusted 
systems  because  I  do  not  want  the  site  to  know  the  true  ori¬ 
gin  of  my  communications  when  I  am  researching  the  latest 
exploits,  exploit  code  or  new  and  up-and-coming  trends  in 
exploit  research.” 

Richard  Childers,  IT  security  manager  at  Canadian  Blood 
Services  in  Ottawa,  Canada,  says  anonymous 
proxy  servers  are  usually  used  within  a  corpo¬ 
rate  context  to  exercise  control  over  outbound 
Internet  traffic  and  are  often  combined  with 
caching  capabilities  to  make  better  use  of 
limited  bandwidth.  But  he  also  sees  their  use 
justified  in  parts  of  the  world  where  free  speech 
is  suppressed. 

“While  l  believe  most  anonymous  proxy  serv¬ 
ers  are  used  to  hide  who  is  accessing  socially 
unacceptable  websites  (porn  etc.),  some  of 
them  may  be  of  political  value  in  that  it  makes 
it  harder  for  repressive  governments  to  identify 
folks  accessing  information  sites  officially 
forbidden,”  he  says. 

Dan  Kaminsky,  director  of  penetration 
testing  at  lOActive,  says  there’s  an  even  simpler 
explanation  for  anonymous  proxy  use  in  other 
countries:  A  lot  of  people  just  want  to  get  Inter¬ 
net  access. 

“It’s  easy  for  us  in  America  to  suggest  this 
is  unethical,  but  we  take  Internet  access  for 
granted,”  he  says.  “Without  proxies,  some  coun¬ 
tries  don’t  have  genuine  access  to  the  Internet.” 

Explore  traffic  coming  from  a  typical  proxy 
and  you’re  bound  to  find  it  all  coming  from  a  kid 
in  a  foreign  land  who  just  wants  to  watch  some¬ 
thing  on  YouTube  or  e-mail  friends,  Kaminsky 
says. 

-B.B. 
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Take  tokens  out  of  the  equation. 


PhoneFactor  is  a  simple  way  to  add  a  second  factor  of  authentication  to  your  remote 
access  VPN,  corporate  email,  websites,  and  more.  PhoneFactor  works  by  placing  an 
automated  voice  call  to  the  user’s  phone  during  login.  They  simply  answer  and  press  # 
(or  enter  a  PIN)  to  authenticate.  PhoneFactor  eliminates  the  need  for  expensive  tokens, 
smart  cards,  and  other  devices.  It  works  with  any  phone. 


•  Easy  to  Setup,  Manage,  and  Use 

With  no  tokens  to  mail  and  nothing  for  users  to  install,  it’s  easy  and  cost-effective  to  enable 
PhoneFactor  for  all  employees,  partners,  and  customers. 

•  Strong  Two-Factor  Authentication 

PhoneFactor's  out-of-band  authentication  is  not  susceptible  to  man-in-the-middle 
attacks  or  keystroke  logging. 


•  Regulatory  Compliance 

PhoneFactor  is  a  rapid,  cost-effective  way  to  comply  with  PCI  Data  Security  Standards, 
FFIEC,  HIPAA,  and  other  industry  regulations. 


Free  Download  at  p 

www.phonefactor.com/tokenlesstwofactor  U^PhoneFactor 

or  call  1.877. No. Token  M 
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REPORT:  MALICIOUS 
SPAM  SPIKES  IN 
THE  ENTERPRISE 


SECURITY 

WISDOM 

WATCH 

It’s  been  another  eventful  month 
in  the  security  world,  with  lots  to 
be  proud  of  and,  well,  lots  more  to 
frown  about.  This  month’s  index  is 
admittedly  tilted  more  toward  the 
frowning: 

Microsoft  exploitability 
index:  The  software  giant 
says  its  first  month  of  pre¬ 
dicting  whether  hackers  will 
create  exploit  code  for  its  bugs 
was  a  success.  Unfortunately,  getting 
the  forecast  right  less  than  half  the 
time  qualifies  as  a  success. 

Chris  Hoff:  The  chief  security 
architect  for  the  systems  and 
technology  division  at  Unisys 
has  been  a  relentless  critic  of 
the  “security  in  the  cloud”  con¬ 
cept,  using  his  Rational  Survivability 
blog  ( rationalsecurity 
. typepad.com/blog )  to  outline  the 
problems  in  painstaking  detail.  Who 
knows?  Maybe  some  in  the  vending 
and  enterprise  communities  will  heed 
his  warnings. 

WabiSabiLabi:  The  organiza- 
j  B  |  tion  says  it  may  shut 
Wrjr  down  its  online  mar- 

|Mki  Jfcjl  ketplace  for  security 
*  vulnerabilities.  Many 

SaaBS  in  the  security  com¬ 
munity  thought  auction¬ 
ing  off  zero-day  threats  was  a  dumb 
idea  anyway. 

Andrew  Madrid:  The  former 
San  Jose,  Calif.,  network 
administrator  faces  12  years 
in  prison  after  pleading  guilty 
to  hacking,  ID  theft,  burglary 
and  drug  charges.  Authorities  say  he 
used  his  IT  experience  to  pull  off  a 
variety  of  crimes  between  September 
2006  and  March  2008.  The  insider 
threatisaliveandwell.  -B.B. 


New  survey  results  from  Sophos,  an  IT 
security  and  control  firm,  find  that  the 
number  of  spam  e-mails  with  dangerous 
attachments  have  soared.  The  report 
reveals  that  the  malicious  messages  rose 
eight-fold  in  just  three  months. 

The  “Q3  Dirty  Dozen”  spam  report  not  only 
documents  an  alarming  rise  in  the  propor¬ 
tion  of  spam  e-mails,  but  an  increase  in  spam 
attacks  using  social  engineering  techniques  to 
snare  unsuspecting  computer  users,  accord¬ 
ing  to  Sophos  Senior  Technology  Consultant 
Graham  Cluley. 

The  survey  found  that  one  in  every  416 
e-mails  contained  a  dangerous  attachment 
designed  to  infect  the  recipient’s  computer. 
That  number  is  up  from  only  one  in  every  3,333 
the  previous  quarter,  Cluley  says. 

Much  of  the  increase  is  due  to  several 
large-scale  malware  attacks  launched  by 
spammers  during  the  period,  he  says.  The 
worst  single  attack  was  the  Agent-HNY 
Trojan  horse,  which  was  sent  disguised  as  the 
Penguin  Panic  arcade  game  for  Apple  iPhones. 
Other  major  incidents  included  the  Mal/EncPk- 
CZ  Trojan,  which  pretended  to  be  a  Microsoft 
security  patch,  and  the  Invo-Zip  malware, 
which  masqueraded  as  a  notice  of  a  failed 
parcel  delivery  from  firms  such  as  UPS. 

“While  many  people  may  know  better 
than  to  click  on  an  attachment  that  says  ‘sexy 
pictures,’  these  new  tactics  are  more  alluring,” 
says  Cluley.  “Too  many  people  are  clicking 


without  thinking-exposing  themselves  to 
hackers  who  are  hell-bent  on  gaining  access 
to  confidential  information  and  raiding  bank 
accounts.” 

Spammers  continue  to  embed  malicious 
links  and  spam  out  creative  and  timely  attacks 
designed  to  prey  on  users’  curiosity,  said 
Cluley.  In  August,  a  wave  of  spam  messages 
claimed  to  be  breaking  news  alerts  from 
MSNBC  and  CNN.  Each  e-mail  encouraged 
users  to  click  on  a  link  to  read  the  news  story, 
but  instead  took  unsuspecting  users  to  a  mali¬ 
cious  webpage  that  infected  Windows  PCs  with 
the  Mal/EncPk-DA  Trojan  horse.  “When  a  spam 
e-mail  appears  to  come  from  a  trusted  source, 
too  many  users  are  fooled  and  end  up  clicking 
through  to  a  malicious  webpage,”  says  Cluley. 

Education  continues  to  be  key  in  prevent¬ 
ing  infection,  says  Cluley,  who  encouraged 
business  organizations  to  give  users  initial 
and  also  refresher  instructions  on  avoiding 
suspicious  e-mails.  “The  advice  is  simple:  You 
should  never  open  unsolicited  attachments, 
however  tempting  they  may  appear,”  he  says. 

The  United  States  remained  in  the  number- 
one  spot  for  relaying  spam  across  the  globe, 
generating  18.9  percent  of  the  malicious 
e-mails.  Russia  has  increased  its  contribution 
to  the  world  spam  problem,  soaring  from  4.4 
percent  last  year  to  8.3  percent  during  this 
time  period,  according  to  the  report. 

-Joan  Goodchild 
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I  drive  security  strategy  for  a 
global  500  company. 


I  provide  secure  access  to  business 
resources  anytime,  anywhere. 


I  believe  security  should  connect 
people,  not  isolate  them. 


I  am  fearless.” 


Secure  anytime,  anywhere  access.  When  it  comes  to  security,  most  businesses  understand  what  it  means 
to  fail.  But  few  can  imagine  what  it  would  mean  to  succeed.  RSA’s  information-centric  security  solutions 
can  move  your  business  forward.  That’s  why  we’re  the  chosen  security  partner  of  more  than  90  percent  of 
the  Fortune  500.  Don’t  just  secure  your  business.  Accelerate  it.  Learn  more  at  www.rsa.com/go/glide  The  Security  Division  of  emc 


TACTICS 


By  Malcolm  Wheatley 


Wireless  Wanderers 

Employees  sipping  cafe  Java  over  their  laptops  may 
think  a  VPN  makes  them  safe  and  secure.  With  careful 
configuration,  there’s  some  chance  they’re  right. 


Road  warriors  wirelessly  con¬ 
necting  to  the  corporate 
network  from  hot  spots  at  air¬ 
ports  or  coffee  outlets.  Just  a 
few  years  ago,  nightmare  sto¬ 
ries  were  common  of  even  casual  bystand¬ 
ers  being  able  to  eavesdrop  on  corporate 
communications  made  in  such  circum¬ 
stances.  As  a  result,  there’s  a  widespread 
acceptance  that  Virtual  Private  Networks 
(VPNs)  are  pretty  much  de  rigueur  for  wire¬ 
less  use  on  the  road. 

But  just  how  much  security  does  a  VPN 
provide?  The  answer,  it  seems,  is  “not  as 
much  as  you  might  imagine.”  “People  tend 
to  fixate  on  the  word  ‘private’  in  virtual 
private  network,”’  warns  Jeremy  Cioara, 
an  author  of  five  books  for  Cisco  Press 
and  a  security  instructor  for  training  pro¬ 
vider  CBT  Nuggets,  based  in  Eugene,  Ore. 
“They’re  sitting  in  Starbucks  working  at 
their  laptop,  and  they  think  that  because 
they’re  using  a  VPN,  it’s  safe.  It  isn’t.” 

So  how  should  a  CISO  or  CSO  go  about 
selecting  a  VPN  that  is  safe  and  secure? 
How  should  it  be  configured  and  managed 
in  order  to  maintain  that  security?  And 
to  what  extent  do  security  provisions  in 
the  layers  of  technology  around  the  VPN 
impact  the  overall  security  of  the  connec¬ 
tion  it  provides?  As  growing  numbers  of 
remote  users  communicate  with  their  cor¬ 
porate  networks  via  VPN-over-wireless, 
such  questions  are  increasingly  taking 


center-stage.  The  bottom  line:  It’s  not  so 
much  the  VPN  itself,  but  the  environment 
in  which  it  sits  that  the  real  vulnerabil¬ 
ity  lies. 

When  it  comes  to  choosing  a  VPN, 
there’s  certainly  a  wide  range  of  choice— 
and  price  tags— available.  For  a  free, 
open-source  VPN,  for  instance,  check  out 
Open  VPN,  which  claims  three  million  users 
and  150,000  downloads  a  month.  There’s 
a  free  VPN  built  into  Microsoft  Windows 


XP,  too,  in  the  form  of  its  implementation 
of  the  Point-to-Point  Tunneling  Protocol 
(PPTP). 

Fast-growing,  New  York-based  Castle 
Brands  uses  a  PPTP-based  VPN— having 
first  weighed  open-source  and  proprietary 
VPNs.  “We  tried  to  keep  the  cost  down, 
without  compromising  security,”  says 
director  of  IT  Andre  Preoteasa.  “Throw  in 
the  up-front  cost  of  some  VPNs,  the  addi¬ 
tional  hardware,  license  fees  and  yearly 
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The  next  attack 
can  come  from 
anywhere. 
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Fortunately, 
that’s  where 
we’re  looking. 

Vigilance  requires  resources.  But  outsourcing 
security  should  do  more  than  lower  your 
costs.  It  should  lower  your  risk. 


SecureWorks 


SecureWorks  does  just  that.  Our  industry¬ 
leading  counter-threat  unit,  round-the-clock 
analysts,  and  state-of-the-art  threat  correlation 
platform  let  us  go  beyond  satisfying  your 
compliance  requirements  —  we  safeguard 
your  reputation. 

www.secureworks.com 

©2007  SecureWorks,  all  rights  reserved.  SecureWorks  and  the 
SecureWorks  logo  are  registered  trademarks  of  SecureWorks. 
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>>  TOOLBOX 


Abrams  has  also  encountered  instances  of 
users  downloading  corporate  documents 
securely  over  an  encrypted  VPN-only  to 
then  forward  them  to  their  webmail  accounts, 
unencrypted,  over  the  public  Internet. 


support  costs,  and  costs  soon  climb.  With 
PPTP,  if  you’ve  got  Windows  XP,  you  pretty 
much  have  it.” 

Initial  access  to  the  network  is  pass¬ 
word-based,  explains  Preoteasa,  with  sub¬ 
sequent  access  control  following  role-based 
rules  maintained  on  the  server  in  the  form 
of  Microsoft  Active  Directory.  “People  can’t 
just  go  anywhere  and  open  up  anything; 
the  accounting  guys  get  accounting  access 
while  the  sales  guys  don’t,”  he  says. 

But  PPTP  isn’t  without  its  shortcomings 
as  a  VPN,  which  is  why  there  are  plenty  of 
commercial  standalone  VPNs  on  the  mar¬ 
ket,  says  information  security  expert  Winn 
Schwartau,  founder  of  security  awareness 
certification  firm  SCIPP  International. 
Client-based  VPNs,  as  opposed  to  operat¬ 
ing  system-based  VPNs,  he  notes,  offer  a 
somewhat  greater  degree  of  manageability 
and  flexibility— at  a  price,  of  course. 

“PPTP  isn’t  ideal,  but  it’s  a  lot  better  than 
nothing,”  says  Schwartau.  “And  unless 
you’ve  got  state  secrets  to  protect,  PPTP  is 
going  to  keep  away  a  lot  of  the  ankle-biters. 
The  casual  guy  at  the  airport  looking  for 
low-hanging  fruit  is  going  to  look  at  your 
connection,  see  that  it’s  encrypted  and  move 
on.  There  are  still  just  too  many  other  low- 
hanging  fruit  out  there— such  as  doofuses 
with  connections  that  aren’t  encrypted.” 

Rising  Complexity 

But  when  evaluating  commercial-grade 
VPNs,  the  complexities  multiply.  Technol¬ 
ogy  considerations  play  a  surprisingly  sig¬ 
nificant  role  in  the  selection  process.  At  the 
Pentecostal  Church  of  God  in  Joplin,  Mo., 
for  instance,  IT  director  Don  Allen  found 
himself  going  with  a  VPN  solution  from 
Niirnberg,  Germany-based  vendor  NCP 
Engineering,  after  several  of  the  church’s 
senior  executives  acquired  laptops  running 
under  64-bit  Vista. 

But  these  turned  out  to  be  incompatible 
with  the  church’s  existing-but-obsolete 
Cisco  PIX  router  firewalls— a  discovery 
that  led  him  first  to  Cisco’s  customer  sup¬ 
port,  where  no  solution  was  forthcoming, 
and  then  to  Microsoft’s,  where  a  fix  could  be 
found.  Microsoft’s  recommended  solution: 
a  VPN  from  a  single  vendor,  NCP,  which 
turned  out  to  provide  one  that  would  work 
with  64-bit  Vista. 

“I  downloaded  the  trial  version,  talked 
to  NCP  and  then  sent  them  some  200MB 


of  screenshots,”  says  Allen.  “The  next  day 
I  got  an  e-mail  asking  me  to  change  one  set¬ 
ting  on  the  router,  and  copy  a  file  onto  each 
of  the  laptops.  It  worked  straightaway,  and 
I  bought  the  licenses.  We  once  again  had 
secure  communication,  and  it  was  much, 
much  cheaper  than  buying  a  new  router.” 
Today,  church  executives  routinely  access 
the  network  while  traveling,  he  reports, 
“and  it’s  actually  turned  out  to  be  a  pretty 
elegant  solution.” 

There’s  no  suggestion  that  the  NCP 
product  is  anything  but  highly  secure,  but 
such  stories  underpin  why  CISOs  and 
experts  are  recommending  that  organiza¬ 
tions  see  their  wireless  VPNs  as  just  one 
plank  of  a  much  broader  strategy  to  secure 
the  remote  laptop  user.  The  thinking:  Sure, 
the  VPN  provides  encrypted  point-to- 
point  connectivity,  but  it  doesn’t  provide  an 
assurance  of  security. 

A  starting  point,  says  Atlanta-based 
author  and  security  expert  James  DeLuccia, 
is  to  have  management  control  the  laptop. 
“The  VPN  should  be  installed  on  a  com¬ 
pany-owned  laptop,  not  a  home  computer, 
and  I  would  then  want  to  impose  on  that 
laptop  some  security  policies  and  settings 
to  make  the  VPN  connection  even  more 
secure,”  he  says. 

The  logic  is  part  psychological  and 
part  pragmatism.  With  a  corporate  logo 
and  corporate  applications  on  the  desktop, 
users  are  less  likely  to  stray  into  areas  of  the 
Internet  where  security  problems  are  more 
prevalent.  Security  policies  then  act  to  miti¬ 
gate  this  risk  even  further. 

The  currency  of  antivirus  and  anti¬ 
malware  programs  can  automatically  be 
detected,  and  VPN  connections  to  the 
corporate  network  can  be  disabled  unless 
such  measures  are  up  to  date.  And  stron¬ 
ger  authentication  measures  can  be  put  in 
place:  not  just  passwords,  but  loaded  cer¬ 
tificates,  tokens  or  other  two-factor  authen¬ 
tication  devices. 

At  London-based  law  firm  Lawrence 
Graham,  a  combination  of  tokenless, 


two-factor  authentication  techniques 
help  ensure  secure  remote  VPN  wireless 
access,  says  the  firm’s  IT  director  Jason 
Petrucci.  “When  lawyers  log  on  to  the 
system  remotely  from  a  laptop,  they  are 
presented  with  three  authentication  boxes: 
one  for  their  username,  one  for  their  log-on 
password  and  the  last  for  their  combined 
personal  PIN  code  and  passcode,”  he  says. 
“SecurEnvoy  is  used  to  manage  and  deliver 
this  passcode  by  preloading  three  one-time 
passcodes  within  a  text  message,  which  is 
delivered  to  the  user’s  BlackBerry.” 

As  passcodes  are  used,  replacements 
are  automatically  sent  to  each  lawyer’s 
BlackBerry.  “Our  lawyers  carry  BlackBer- 
rys  with  them  wherever  they  go.  A  physical 
token  inevitably  runs  the  risk  of  being  left 
behind  or  lost  altogether.” 

Multiple  network  connections  in  opera¬ 
tion  at  the  same  time,  conceivably  wired  as 
well  as  wireless,  are  another  source  of  dan¬ 
ger.  With  two  open  connections,  for  exam¬ 
ple,  the  laptop  can  become  a  bridge  to  the 
corporate  network,  warns  Randy  Abrams, 
the  Seattle-based  director  of  technical  edu¬ 
cation  at  IT  security  company  ESET.  By 
piggybacking  on  the  VPN  connection,  the 
hacker  then  has  access  to  the  network. 

He’s  also  encountered  instances  of 
users  downloading  corporate  documents 
securely  over  an  encrypted  VPN— only 
then  to  forward  them  to  their  webmail 
accounts,  unencrypted,  over  the  public 
Internet.  Worse,  browser  helper  objects— 
little  pieces  of  code  routinely  downloaded 
during  Web  browser  sessions— can  contain 
malicious  keystroke  loggers  that  wouldn’t 
have  been  detected  by  a  previous  malware 
detection  routine,  yet  become  active  imme¬ 
diately  during  the  session.  The  solution:  a 
very  firm  and  hardwired  policy  of  switch¬ 
ing  off  parallel  network  connections  the 
moment  a  VPN  session  starts. 

And  even  parallel,  encrypted  VPN  ses¬ 
sions  aren’t  safe.  Split  VPN  tunnels— which 
offer  such  a  parallel  connection— are  very 
common  in  VPN  clients,  warns  Seth  Peter, 
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chief  technology  officer  at  Minneapolis- 
based  security  consulting  organization 
NetSPI.  “The  idea  is  that  one  tunnel  goes 
to  the  corporate  network,  and  the  other  to 
the  public  Internet.  We  recommend  switch¬ 
ing  the  second  tunnel  off,  so  that  the  only 
way  to  the  Internet  is  via  the  corporate  net¬ 
work,”  he  says.  “The  trouble  is,  we  don’t  see 
enough  clients  do  that.” 

Real  World 

Given  such  considerations,  how  are  VPNs 
chosen,  managed  and  operated  in  practice? 

At  beauty  school  operator  Empire  Edu¬ 
cation  Group,  headquartered  in  Pottsville, 
Pa.,  staff  at  the  company’s  88  schools  con¬ 
nect  to  the  corporate  network  with  a  Citrix 
VPN  when  they’re  traveling.  On  the  net¬ 
work,  Citrix  Access  Gateway  “publishes” 
to  them  the  applications  they’re  approved 
to  use,  such  as  Word,  Outlook  and  class 
databases  for  recording  grades  and 
attendance. 

Management  policies  then  deny  users 


the  ability  to  save  locally  during  a  session, 
forcing  them  to  save  on  the  network.  “Users 
can  only  see  the  drives  that  are  published 
to  them,  not  those  on  their  local  machine,” 
says  Joseph  Drasdis,  Empire’s  vice  presi¬ 
dent  of  IT.  “From  a  security  perspective,  it’s 
not  a  problem  if  a  laptop  is  stolen  because 
there’s  no  information  on  it.  Users  have  to 
save  on  the  network,  period.” 

Interestingly,  he  adds,  Internet  Explorer 
is  also  published  to  users  from  the  network, 
which  allows  Empire  to  control  which 
websites  are  accessible  to  employees  with 
company  laptops— a  list  comprising  little 
more  than  Empire’s  own  site,  plus  Micro¬ 
soft’s  and  a  support  site.  The  result:  an  ever- 
lower  likelihood  of  malware  encounters, 
says  Drasdis. 

Meanwhile,  at  Fortune  SO  insurance 
company  MetLife,  protecting  against  data 
leakage— especially  in  respect  of  client 
information— is  of  paramount  importance 
when  enabling  remote  wireless  access,  says 
Jesus  Montano,  assistant  vice  president  of 


enterprise  security.  “The  challenge  is  bal¬ 
ancing  people’s  access  requirements  with 
our  overall  security  requirements,  and  then 
working  with  them  to  find  ways  of  creating 
an  effective  solution  without  compromis¬ 
ing  security,”  he  says. 

For  wireless  access  from  airports  and 
coffee  outlets,  he  explains,  these  days  that 
means  access  via  VPN  vendor  Check  Point, 
solely  from  MetLife-owned  laptops,  with 
log-ons  protected  by  RSA  “hard  token”- 
based,  two-factor  authentication.  In  addi¬ 
tion  to  the  encryption  built  into  the  VPN,  all 
the  data  on  the  laptop  is  protected,  he  adds. 

“All  wireless  traffic  is  encrypted;  the 
devices  are  encrypted  and  wrapped  around 
with  a  firewall,”  stresses  Montano.  “We 
think  we’ve  addressed  the  most  obvious  pit- 
falls  in  remote  access,  and  think  we’ve  got  a 
robust,  highly  engineered  solution.”  ■ 

Malcolm  Wheatley  is  a  freelance  writer  based  in 
England.  Send  feedback  to  Editor  Derek  Slater 
at  dslater@cxo.com. 


Los  Alamos  National  Laboratory  —  a  premier  national  security  research  institution,  delivering  scien¬ 
tific  and  engineering  solutions  for  the  nation’s  most  crucial  and  complex  problems  -  has  the  following 
opportunity  available: 


Chief  Information  Security  Officer 


Reporting  to  the  Director,  Los  Alamos  National  Laboratory  (LANL)  is  seeking  an  Office  Director  of  Cyber 
Security  to  be  responsible  for  all  aspects  of  cyber  security  at  the  lab.  The  Office  Director  will  develop 
and  maintain  clear  cyber  security  policies,  and  validate  an  integrated  and  consistent  approach  to  imple¬ 
mentation  across  the  Laboratory  and  within  the  peer  cyber  community.  Given  the  technical  breadth  and 
capabilities  of  LANL,  it  is  expected  that  the  Director  of  Cyber  Security  will  show  leadership  in  drawing  upon 
the  Laboratory’s  institutional  information  technology  strength  to  develop  pioneering  approaches  to  security 
for  information  systems  and  operation.  The  Cyber  Security  Director  will  be  responsible  for  managing  multi¬ 
million  dollar  budgets  from  both  government  agencies  and  institutional  funding  sources. 

The  successful  candidate  will  have  a  Master’s  degree  (Ph.D.  preferred)  in  Computer  Science,  Mathematics, 
or  Engineering;  proven  experience  managing  large  scale  and  distributed  computing/information  systems  and  programs;  in- 
depth  knowledge  of  the  cyber  security  environment;  demonstrated  application  of  novel,  unique  cyber  security  strategies/ 
methodologies;  experience  in  technology  development  and  systems  analysis  within  a  large  R&D  facility  and  exceptional 
communication  skills,  especially  in  the  areas  of  presenting  briefings  and  interacting  with  people.  Demonstrated  record 
in  successful  management  of  programs  and  people.  Requires  a  Q  access  authorization;  must  have  the  ability  to  obtain  a 
security  clearance,  which  usually  requires  US  citizenship. 

For  additional  details  and  to  apply,  visit  www.lanl.gov/jobs  and  apply  to  Job  #216269. 
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Security  is  often  described  as  a  “reactive” 
profession. 

Fair  enough;  incident  response  is  always 
goingto  be  a  critical  part  of  the  job.  But  it's  like¬ 
wise  critical  to  build  adepartment,  an  industry, 
a  profession  that  has  its  eye  on  the  horizon. 

Sohere’shelp:thoughtson2009and  beyond, 
gathered  from  industry  leaders  including  Whit 
Diffie,  Jeff  Spivey,  Gary  Hinson,  Steve  Hunt, 
Chris  Voss  and  many  more. 

Because  the  better  you  understand  the 
trends  of  today  and  next  year,  the  more  pro¬ 
active  you  can  be. 


Former  ASIS  President 

Jeff  Spivey  expects 
an  accelerating  move  to 
more  comprehensive  risk 
management  models 

Risk  Management  If  security  is 
described  as  reactive,  then  formal  risk- man¬ 
agement  methodologies  or  processes  such 
as  enterprise  risk  management  (ERM)  are 
one  of  the  most  critical  attempts  at  break¬ 
ing  out  of  that  mold.  Jeff  Spivey  is  optimistic 
about  the  business  world’s  rapid  adoption 
of  more  sophisticated  organizational  mod¬ 
els  for  ERM. 

Spivey,  of  Security  Risk  Management,  is 
former  president  of  the  ASIS  International 
security  association.  He  now  spearheads 
ASIS’s  involvement  with  the  Alliance  for 
Enterprise  Security  Risk  Management 
(AESRM). 

CSO:  First,  give  us  a  simple  definition  of 
enterprise  risk  management. 

Jeff  Spivey:  ERM  is  a  holistic  view  of  all 


risk  that  a  business  entity  or  government 
m  ay  be  exposed  to. 

Does  that  include  strictly  operational 
risk,  or  does  it  include  capital  risk  as  well? 

Operational  risk,  brand  risk,  financial 
risk....  All  of  the  risk  an  organization  faces. 

Unfortunately  what’s  happening  is  that, 
as  we  look  through  the  security  micro¬ 
scope,  if  you  will,  we’re  not  backing  off  and 
understanding  that  a  company  has  a  lot  of 
other  risks  outside  of  security  risks  or  even 
operational  risk.  If  we  say  ERM  is  holistic, 
we  need  to  make  sure  that  it  really  is  all- 
encompassing.  Otherwise  we  have  gaps. 

In  the  last  five  years  or  so,  we’ve  come 
a  long  way  in  removing  risk  management 
stovepipes.  What  do  you  think  will  happen 
in  the  coming  year? 

I  think  there  is  more  of  an  understand¬ 
ing  that  enterprise  risk  is  important.  Look 
at  the  [risk  measurement]  adoption  of  Stan¬ 
dard  &  Poor’s  and  Moody’s.  CFOs  and  other 
corporate  leaders  now  understand  that 
their  credit  ratings  are  going  to  be  based  on 


how  well  they  handle  risk  and  how  mature 
their  ERM  process  are.  So  I  think  that  will 
be  a  driver  moving  ERM  forward. 

In  2007,  reports  show  that  12  percent 
or  so  of  companies  have  ERM  fully  imple¬ 
mented.  In  2009,  some  reports  estimate  that 
will  rise  to  20  percent.  I’m  going  to  suggest, 
maybe  aggressively  so,  that  we’ll  be  at  30 
percent  or  so  hitting  some  form  of  ERM 
adoption  and  maturity. 

What  holds  back  the  other  70  percent? 

Companies  are  still  confused  by  the 
terminology  that’s  being  used.  They  hear 
‘enterprise  risk  management’  and  say,  ‘Well, 
we  have  a  risk  manager  so  we’re  doing  that 
already.’  But  in  fact  they’re  just  doing  the 
old  traditional  approach— transferring 
risk  by  [purchasing]  insurance.  They  may 
be  involved  in  some  risk  identification  or 
some  claims  analysis,  but  they  really  don’t 
know  the  full  scope  of  ERM. 

In  the  coming  years,  they’ll  move  into  a 
strategic  type  of  risk  management,  gather¬ 
ing  more  data  regarding  risk,  aggregating  it, 
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Network  Security: 

Old  School 

Defendingthe  2009  network?  Tenable  Network  Security  CSO 
Marcus  Ranum  says  to  try  principles  from  the  1970s. 


analyzing  it,  managing  it.  And  there  will 
be  more  silos  in  the  company  brought 
into  that  conversation. 

You  mention  insurance  policies.  How 
good  is  the  communication  between  the 
insurance  risk  management  people  and 
the  security  risk  management  people? 

There’s  some  progress  there.  AESRM 
did  a  presentation  to  the  board  of  RIMS, 
the  Risk  and  Insurance  Management 
Society.  After  the  discussion,  there  were 
a  lot  of  people  saying,  ‘This  is  exactly  the 
type  of  thing  we  need— we  need  more 
understanding  of  types  of  risk  and  the 
different  ways  to  handle  risks.’ 

So  there’s  headway  being  made.  What 
has  been  lacking  is  a  structure  for  discus¬ 
sion,  and  we  were  hoping  the  alliance 
may  be  an  avenue— if  not  the  avenue— 
for  these  types  of  discussions.  It’s  not 
that  the  people  who  understand  ERM 
and  security’s  role  in  ERM  are  smarter 
than  anybody  else,  it’s  just  that  they’ve 
been  talking  with  more  silos  about  it  and 
understand  a  broad  perspective. 

You  can  imagine  a  critical  role  in  ERM 
discussions  for  privacy  professionals 
represented  by  the  IAPP  association  and 
fraud  professionals  represented  by  ACFE. 

I  think  they  could  and  should  be 
included.  At  the  end  of  the  day,  two  things 
will  happen.  There  will  be  champions 
within  organizations  of  that  holistic  point 
of  view,  but  they’re  still  going  to  need  a 
structure  with  which  to  have  that  conver¬ 
sation.  Fortunately,  social  media,  wikis 
and  other  technologies  will  enable  those 
discussions  to  start  maturing  the  ideas, 
either  within  a  particular  company  or 
across  entire  industries  that  are  involved. 

Let’s  say  I’m  a  CSO  and  my  company 
isn’t  far  down  the  ERM  road.  Is  there  an 
effective  analogy,  a  statement,  an  eleva¬ 
tor  pitch  to  the  CEO  to  get  the  necessary 
support? 

In  the  growing  economic  challenges, 
that  conversation  is  important.  Compa¬ 
nies  right  now,  in  my  opinion,  are  over¬ 
spending  for  the  risks  they  are  managing. 
They  are  approaching  it  in  organizational 
silos.  So  they’re  not  only  overspending 
for  the  risks  that  they  are  addressing, 
they’re  also  overexposed  to  the  potential 
losses  that  could  occur  because  of  the 
gaps  [between  silos].  They’re  inefficient. 

-D.S. 


CSO:  What  technological  developments 
this  year  will  have  a  big  impact  on  network 
security?  A  what  do  security  pros  need  to 
be  doing  about  it? 

Marcus  Ranum:  1  don’t  think  there’s  any¬ 
thing  particularly  new  that  will  have  a  large 
impact.  The  Web  2.0  layers  are  going  to  cause 
their  share  of  problems,  but  those  problems 
are  nothing  new;  they’re  just  software  flaws. 
What  will  be  interesting  is  that  they’ll  be  wide¬ 
spread,  and  the  Web  programming  model  may 
make  it  hard  for  some  sites  to  fix  flaws  as  fast 
as  they  are  discovered.  My  guess  is  that  will 
cause  considerable  pain. 

In  your  opinion,  what  is  the  current 
weakest  link  in  the  network  security  chain 
that  will  need  to  be  dealt  with  next  year 
and  beyond? 

There  are  two  huge  problems:  software 
development  and  network  awareness.  The 
software  development  aspect  is  pretty 
straightforward.  Very  few  people  know  how  to 
write  good  code  and  even  fewer  know  how  to 
write  secure  code.  Network  awareness  is  more 


subtle.  All  through  the  1990s  and  until  today, 
organizations  were  building  massive  networks, 
and  many  of  the  organizations  have  no  idea 
what’s  actually  out  there,  which  systems  are 
crucial,  which  systems  hold  sensitive  data,  etc. 
The  1990s  was  this  period  of  irrational  exuber¬ 
ance  from  a  security  standpoint-1  think  we 
are  going  to  be  paying  the  price  for  that,  for  a 
long  time  indeed.  Not  knowing  what’s  on  your 
network  is  goingto  continue  to  be  the  biggest 
problem  for  most  security  practitioners. 

What  kind  of  changes  in  the  bad  guys’ 
behavior  have  you  noticed  most  this 
year,  and  what  might  the  impact  be  going 
forward? 

The  bad  guys  continue  to  professional¬ 
ize.  I’m  not  sure  how  I  feel  about  that.  Many 
old  school  security  practitioners  have  been 
predicting  that  this  would  happen  for  some 
time,  but  now  that  it’s  upon  us,  it  sure  looks 
ugly.  One  thing  it’s  goingto  do  is  clarify  how 
narrow  the  grey  area  between  black  hats  and 
white  hats  is.  I  think  the  grey  area  is  nearly 
completely  gone. 

Of  the  most  common  components 
of  security  programs  in  use  today, 
are  there  any  best  practices  that 
are  particularly  important  now  but 
might  not  be  in  the  coming  year?  In 
other  words,  is  there  anything  in  the 
threat  landscape  that  will  require 
a  reshuffling  of  the  best  practices 
totem  pole? 

The  best  practices  totem  pole,  as 
you  put  it,  is  already  too  subject  to  fads. 
The  real  best  practices  have  been  the 
same  since  the  1970s:  Know  where  your 
data  is,  who  has  access  to  what,  read 
your  logs,  guard  your  perimeter,  mini¬ 
mize  complexity,  reduce  access  to  ‘need 
only’  and  segment  your  networks.  Those 
are  the  practices  and  techniques  that 
result  in  real  security.  There  are  loads 
of  fads  vying  for  people’s  attention,  but 
when  they  come  and  go,  the  fundamen¬ 
tals  will  remain  the  same.  - Bill  Brenner 
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I  WHAT  HAPPENS  NEXT? 


Next  Steps  for 
ISO  27000 


IT  governance  specialist 

Gary  Hinson  expects 
updates  to  key  standards 

Standards  Few  doubt  that  a  major  con¬ 
sequence  of  the  current  economic  meltdown 
will  be  more  regulations  for  the  private 
sector  to  follow.  New  regulations  almost 
always  mean  more  spending  on  security 
and  privacy  controls.  For  a  glimpse  of  what 
to  expect,  CSO  turned 
to  Gary  Hinson,  a  New 
Zealand-based  IT  gover¬ 
nance  specialist  and  CEO 
oflsecT. 

He  says  to  expect 
changes  in  the  coming 
year,  but  they  won’t  nec¬ 
essarily  be  tied  to  new 
regulations  born  of  the 
financial  crisis.  Instead, 
his  focus  is  on  changes 
for  the  ISO/IEC  27000 
family  of  standards.  His  efforts  to  help 
security  pros  understand  the  standards 
include  a  regularly  updated  website: 
ISO27001security.c0m. 

CSO:  Where  do  you  see  the  most  signifi¬ 
cant  regulatory  changes  in  2009? 

Gary  Hinson:  There  are  a  number  of 
planned  changes  to  the  ISO/IEC  27000 
family  of  Information  Security  Manage¬ 
ment  System  [ISMS]  standards  [collectively 
IS027k]  over  the  next  year  or  so. 

Work  is  under  way  within  JTC1/SC27,  the 
ISO/IEC  committee  responsible  for  IS027k, 
to  review  and,  where  necessary,  adapt  ISO/ 
IEC  27001  and  27002.  Both  standards  are 
being  actively  used  around  the  world,  of 
course,  making  it  likely  that  changes  will 
be  relatively  limited  in  order  to  avoid  dis¬ 


rupting  the  existing  implementations  and 
particularly  the  certification  processes.  I 
believe  that  in  Japan,  for  instance,  ISO/ 
IEC  27002  is  specifically  recommended— if 
not  required— to  satisfy  the  Japanese  pri¬ 
vacy/data  protection  laws,  with  organiza¬ 
tions  being  compliance-assessed  against 
the  code  of  practice,  although  it  was  not 
originally  intended  by  ISO/IEC  to  be  used 
in  that  manner.  No  one  really  knows  how 
many  organizations  have 
adopted  ISO/IEC  27002 
globally,  but  I  would  guess 
it  must  be  in  the  hundreds 
of  thousands  by  now. 

In  revising  ISO/IEC 
27002,  what  are  you 
pressing  the  committee  to 
focus  on? 

1.  Address  and  resolve 
the  confusion  around 
‘information  security 
policy”  versus  “ISMS 
policy”— the  latter  being  closer  to  strategy, 
as  far  as  I  can  see. 

2.  Expand  on  the  concept  of  personal 
accountability  versus  responsibility,  and 
clarify  what  is  meant  by  “information 
asset.” 

3.  Expand  on  typical  computer  room 
controls,  for  example  environmental  moni¬ 
toring  with  local  and  remote  alarms  for  fire, 
water,  intrusion,  power  problems,  etc. 

4.  Update  section  10.8,  “exchange  of 
information,”  to  improve  coverage  of  mobile 
code,  Web  2.0  or  software  as  a  service,  etc. 
Technical  advances  are  a  tricky  area  for 
IS027k  since  publication  of  the  standards 
is  such  a  long,  slow  process. 

5-  Expand  section  11.2  on  “user  access 
management”  to  include  more  on  identi¬ 


fication  and  especially  authentication  of 
remote  users. 

6.  Provide  pragmatic  guidance  on  secu¬ 
rity  testing  of  new  or  changed  application 
systems  in  section  12. 

7.  Expand  section  14  on  “business  con¬ 
tinuity  management”  to  cover  resilience 
as  well  as  disaster  recovery.  This  section 
would  also  benefit  from  more  explanation 
of  “contingency. ” 

8.  Update  section  15  to  reflect  legal  and 
regulatory  changes,  such  as  the  rise  of 
e-discovery,  document  or  e-mail  retention, 
and  increasing  use  of  computer  data  as  evi¬ 
dence  in  court. 

9.  Emphasize  the  value  of  IT  auditing 
processes  in  section  15.3. 

With  around  4,000  or  5, 000  organiza¬ 
tions  having  been  certified  compliant  with 
ISO/IEC  27001,  the  official  ISMS  certifica¬ 
tion  standard,  changes  there  seem  likely  to 
be  restricted  to  relatively  minor  updates. 
What’s  the  timetable? 

I  believe  the  publication  of  ISO/IEC 
27000  is  imminent.  It  will  help  bind  IS027k 
together  by  explaining  the  structure  and 
purpose  of  the  standards,  and  by  providing 
a  glossary  of  common  terms.  A  lot  of  pains¬ 
taking  work  has  gone  into  this  standard— 
wdierever  possible,  reusing  definitions 
from  existing  standards  and  clarifying  or 
changing  things  only  where  necessary.  The 
recently  released  risk  management  stan¬ 
dard  ISO/IEC  27005  will  helpfully  bring 
some  commonality  to  the  way  various  orga¬ 
nizations  assess  their  information  security 
risks,  prior  to  selecting  and  implementing 
suitable  security  controls.  Risk  assessment 
was  arguably  the  weakest  area  of  ISO/IEC 
27002,  with  very  limited  guidance  provided 
in  section  4.  The  new  standard  does  not 


iyj.  '  ; 

“We  expect  to  see,  in  the  foreseeable  future,  a  reassessment  and  reevaluation  of 
security-related  spending.  That  being  said,  a  growth  industry  like  security  will  continue 
to  be  a  growth  industry  .  We  plan  to  continue  to  make  investments  in,  and  work  with, 
companies  in  the  security  space  because  the  need  is  not  going  away.” 

-Elad  Yoran  is  the  CEO  and  founder  of  investment  firm  Security  Growth  Partners. 
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Fewer  Feet 
on  Retail 
Floors  Mean 
More  Theft ? 

Criminology  professor 

Richard  Hollinger 

predicts  trends  in  shoplifting 
and  retail  shrinkage 


mandate  a  particular  risk  assessment 
method  or  approach— organizations 
should  choose  methods  that  suit  their 
purposes. 

New  IS027k  standards  will  hope¬ 
fully  emerge  over  the  next  year  or  two, 
providing  pragmatic  ISMS  implementa¬ 
tion  advice— both  generic  and  tailored 
to  specific  market  segments  (such  as 
governments)— and  aspects  of  informa¬ 
tion  security  (such  as  application  security 
and  IT  forensics).  A  metrics  standard, 
ISO/IEC  27004,  is  edging  closer  to  release 
(although  personally,  I  have  serious  mis¬ 
givings  about  that  particular  one). 

What  are  your  specific  concerns? 

I  feel  if  released  in  its  present  form, 
it  will  actually  be  a  retrograde  step— a 
license  to  print  money  for  consultants 
but  with  little  prospect  of  achieving  the 
goal  of  helping  management  understand, 
manage  and  improve  their  ISMS.  Worse 
still,  there  is  a  risk  that  botched  metrics 
implementations  will  discredit  the  value 
of  security  metrics  as  a  whole  and  set  the 
field  back  10  years. 

You’ve  suggested  some  changes  are 
also  afoot  regardingthe  auditing  process. 
Please  explain. 

There  is  work  underway  on  IS027k 
auditing  standards  with  an  interesting 
divergence  of  opinion  over  the  need  for 
guidance  on  auditing  information  secu¬ 
rity  controls.  At  present,  certification 
audits  (covered  by  ISO/IEC  27006)  focus 
on  the  management  system  elements  of 
ISMS  and,  to  a  large  extent,  ignore  the 
information  security  aspects.  An  organi¬ 
zation  that  has  a  marvelous  management 
framework  and  associated  management 
processes,  but  has  made  little  real  effort  to 
implement  information  security  controls, 
could  potentially  still  be  certified  compli¬ 
ant  with  ISO/IEC  27001,  yet  be  patently 
insecure.  This  places  great  faith  in  man¬ 
agement’s  ability  to  complete  continuous 
security  improvements  that  will— even¬ 
tually,  hopefully— bring  things  up  to  par. 
As  a  pragmatic  IT  auditor,  I  would  place 
far  more  confidence  in  an  organization’s 
ISO/IEC  27001  certificate  if  I  knew  their 
information  security  controls  had  been 
independently  reviewed  against  both 
the  requirements  specified  by  their  risk 
assessment  and  the  guidance  in  ISO/IEC 
27002.  -B.B. 


Retail  Shrink  For  the  past  16  years, 
University  of  Florida  criminology  professor 
Richard  Hollinger  has  conducted  the  annual 
National  Retail  Security  Survey.  Hollinger, 
the  director  of  the  Security  Research  Project 
in  the  University  of  Florida  Department  of 
Criminoiogy,  Law  and  Society,  is  still  compil¬ 
ing  the  latest  shrink  data  for  2008  and  spoke 
with  C50  about  what  he  is  hearing  from  loss 
prevention  pros  on  what  to  expect  this  year. 

CSO:  The  survey  for  2008  isn’t  com¬ 
plete  yet.  But  what  are  you  anticipating? 

Richard  Hollinger:  From  what  I  can  tell, 
there  is  really  a  dramatic  disconnect  between 
what  happened  in  ’07  and  what  seems  to  be 
happening  now.  I  just  got  back  from  meetings 
with  many  loss-prevention  vice  presidents.  All 
seemed  to  be  suggesting  that  '08  will  be  very 
different  year.  Incidents  of  shoplifting  and 
employee  theft  look  to  be  way  up  in  ’08. 

However,  actual  dollar  amounts  might  not 
be  that  dramatic.  Most  of  the  people  doing  the 
stealing  are  biue-coilar  types  who  are  working 
in  retail  or  stealing  from  retail.  People  really 
can’t  steal  a  lot  in  these  stores  without  being- 
caught. 

Why  it  is  so  much  harder  to  steal  now? 

The  mantra  of  loss  prevention  and  retail 
for  last  decade  has  been  ‘leverage  technol¬ 
ogy.’  Stores  have  really  done  that  using  EAS 
tags  and  also  surveillance  cameras’.  Now 
there  are  even  point-of-sale  integrated  cam¬ 


era  systems  with  which  they  can  do  exception 
monitoring.  These  things  just  weren’t  possible 
in  past  years.  Now  stores  can  make  better  use 
of  personnel  and  cover  more  space  with  the 
same  amount  of  technological  investment. 

Yet  you  expect  theft  incidents  will 
likely  be  up  in  2008.  Why? 

One  reason  may  be  customer  service,  if 
stores  have  less  money  to  spend,  coverage 
on  the  floor  will  go  down.  So,  a  shopper  will 
go  in  to  a  big  box  store  and  have  to  look  for 
someone  to  wait  on  them.  In  previous  years, 
there  were  plenty.  The  first  line  of  defense 
has  always  been  sales  associates.  In  large 
stores,  with  a  large  amount  of  square  footage 
and  fewer  people  put  on  floor,  more  amateurs 
who  might  consider  stealing  will  have  the 
opportunity  to  try. 

Also,  if  stores  are  making  do  with  fewer 
employees,  there  will  be  more  opportunity 
for  workers  to  be  alone  in  a  store.  That  kind  of 
scenario  can  lead  to  employee  theft. 

Vendor  theft  and  fraud  may  also  be 
impacted.  As  vendors  bring  merchandise  into 
the  store,  a  manager  or  staff  person  needs  to 
check  the  merchandise  in.  If  a  store  is  busy, 
or  understaffed,  there  will  be  fewer  chances 
for  that  to  happen  on  a  thorough  basis.  If  a 
vendor  says  they  have  100  units,  but  there 
are  only  75,  and  a  manager  can’t  thoroughly 
check  on  that,  there  is  25  percent  shrink  right 
off  the  bat.  So,  the  worry  is  that  there  won’t 
be  the  level  of  cross-checking  and  auditing  in 
place  to  prevent  that  kind  of  theft. 

How  do  you  think  2008  might  compare 
to  other  years  when  you’ve  done  the 
survey? 

Last  year,  we  saw  the  lowest  level  of  shrink 
in  16  years.  Even  though  the  economy  was 
starting  to  go  downhill,  one  of  the  reasons  I 
think  we  saw  lower  shrink  in  '07  was  because 
a  number  of  retailers  that  were  previously 
in  the  study  were  not  included  in  ’07.  The 
number  of  stores  that  participated  dropped 
from  the  150s  to  the  130s  because  there  are 
fewer  major  retailers  in  the  country.  They  are 
merging  or  acquiring  one  another. 

In  the  survey,  1994  was  the  worst  year  for 
shrink.  Much  of  that  was  due  to  record  stores. 
When  that  sector  was  part  of  the  survey,  we 
saw  our  highest  levels  of  theft.  Records,  CDs, 
were  easier  to  steal.  But  since  the  ’90s,  CD 
sales  have  plummeted.  Most  people  buy  music 
digitally  from  iTunes  now.  So  that  whole  sec¬ 
tor  that  was  having  problems  with  shrink  has 
just  sort  of  disappeared.  -Joan  Goodchild 
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Keeping  Staff  Safe 
obal  Hot  Spots 
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Employee  Protection  What  are 
the  implications  of  a  rotten  economy  for 
employee  safety  around  the  globe?  Chris 
Voss  is  a  former  supervisory  special  agent 
and  lead  negotiator  of  the  international 
kidnapping  response  for  the  FBI;  he  now 
heads  up  The  Black  Swan  Group. 

CSO:  in  the  event  of  a  continued,  severe 
global  economic  downturn,  what  effects 
should  companies  anticipate  in  terms  of 
threat  profiles?  Ransom  kidnappings,  sup¬ 
ply  chain  disruptions...? 

Chris  Voss:  The  issue  of  kidnapping  and 
employee  security  is  more  of  a  function  of 
political  and  law  enforcement  infrastruc¬ 
ture.  If  the  economic  downturn  diminishes 
those  capacities,  it  will  cause  kidnapping 
to  flourish  even  more  in  places  where  it 
already  exists.  Economic  kidnapping  is 
like  a  virus— once  it  gets  into  a  society,  it’s 
very  hard  to  get  it  out.  Criminals  find  out 
it’s  pretty  easy  money. 

That’s  what’s  happening  in  Haiti,  I 
think.  There’s  not  much  wealth  in  Haiti,  but 
kidnapping  numbers  have  to  be  up  to  250  or 
so  Haitian-Americans.  If  they  grab  some¬ 
one  who  has  family  in  the  U.S.,  whatever 
they  get— if  they  get  $5,000  to  $25,000  per 
kidnapping— that’s  really  serious  money 
in  Haiti. 

Also,  in  the  past,  whether  it’s  true  or 
false,  the  extractive  industries— particu¬ 
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larly  energy  and  oil— try  to 
operate  in  environments 
where  there’s  lots  of  corrup¬ 
tion;  there  were  allegations 
that  they  were  paying  offlots 
of  people.  Corruption  as  a 
form  of  tax.  Under  pressure 
from  human  rights  groups, 
there’s  a  set  of  voluntary 
principles  that  the  extrac¬ 
tive  industries  signed  off 
on,  saying  that  they  would 
contribute  to  trying  to  build  legitimate 
law  enforcement  infrastructure  instead  of 
paying  people  off  and  encouraging 
corruption. 

So  in  a  lot  of  places  [where  the  law 
enforcement  infrastructure  is  not  well- 
developed],  these  companies  are  just 
building  their  own  security  forces  and 
compounds  to  try  to  find  a  way  to  operate 
ethically.  That’s  what  most  of  them  have 
resorted  to.  An  economic  downturn  will 
only  affect  their  security  if  they  can  no  lon¬ 
ger  afford  this  protection. 

Allegedly,  things  have  changed  dramati¬ 
cally  for  the  better  in  Bogota,  Columbia, 
with  violence  greatly  diminished  in  recent 
years.  Is  that  correct,  and  are  there  other 
specific  areas  of  the  world  where  the  level 
of  risk  has  changed  significantly  in  the  past 
couple  of  years? 
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Yes,  Columbia  is  much  safer  than  it  was 
ten  years  ago.  When  I  went  in  1998,  the  gue¬ 
rillas  had  complete  control  of  the  country¬ 
side,  and  you  could  not  travel  there  safely. 
In  2005, 1  went  to  a  going- away  function  in 
the  countryside  with  no  military  escort.  We 
were  hardly  armed  at  all.  Uribe  has  done  a 
tremendous  job  increasing  the  infrastruc¬ 
ture  to  push  out  the  kidnappers. Some  of 
the  Columbian  kidnappers  quit,  and  some 
are  in  jail.  Of  the  others,  some  moved.  So 
it’s  on  the  rise  in  Venezuela  and  Ecuador. 
In  Venezuela,  Chavez  isn’t  making  the 
infrastructure  any  more  effective;  he’s  not 
using  domestic  law  enforcement  to  police 
the  country. 

You  have  to  hand  it  to  the  Mexicans  for 
covering  up  a  massive  kidnapping  prob¬ 
lem.  I  recently  had  a  conversation  with  the 
head  of  security  for  an  international  com- 


Malware 
Goes  Mobile 

Proliferating  mobile  spyware? 

Mikko 

Hypponen 

Andrew  Storms 

from  nCircie  offer  their 
projections  on  the  next 
threats  to  mobile  devices. 


Malware  Four  years  ago,  F-Secure  Chief 
Research  Officer  Mikko  Hypponen  was  talking 
about  malware  infections  on  mobile  phones 
while  few  others  were  paying  attention.  With 
the  growing  use  of  Internet-enabled  phones, 
particularly  Apple’s  iPhone  and  RIM’s  Black- 
Berry,  he  sees  more  opportunities  than  ever 
for  malicious  activity.  But,  surprisingly,  he  sees 
a  quiet  mobile  malware  landscape. 

“it’s  quite  quiet  on  the  mobile  side.  We  now 
have  over  400  known  mobile  phone  viruses 
and  Trojans,  but  most  of  those  target  the 
older  smartphone  systems,”  he  says.  “Most 
of  the  current  systems  have  improved  built-in 
security.” 

Hypponen  believes  the  most  likely  mobile 


risk  today  isn’t  mobile  viruses  or  Trojans,  but 
mobile  spying  tools  like  FlexiSpy,  Neocall  or 
Mobile  Spy.  These  commercial  tools  run  fine 
even  on  the  latest  versions  of  Symbian,  Win¬ 
dows  Mobile  or  BlackBerrys,  he  says. 

Meanwhile,  the  iPhone  stiii  has  a 
miniscule  market  share  globally  compared 
to  the  big  boys  like  Nokia.  As  that  market 
share  increases,  he  expects  more  attacks  to 
materialize. 

In  the  short  term,  Hypponen  is  looking 
at  some  of  the  more  notable  events  of  2008 
for  clues  on  what  will  happen  in  2009.  “The 
defining  moment  in  2008  was  the  change 
from  smtp  to  http,”  he  says.  “Now  the  miscre¬ 
ants’  preferred  way  of  infecting  Net  users  is 
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pany  based  in  Mexico.  He  tried  to  tell 
me,  ‘Kidnapping,  it’s  mostly  criminal- 
on-criminal,’  which  is  nonsense.  They’re 
diminishing  the  problem,  trying  to  keep 
the  larger  world  from  criticizing  them.  So 
it’s  getting  worse  and  worse  all  the  time. 
Tremendous  amounts  of  legitimate  busi¬ 
nessmen  are  leaving  that  region. 

In  the  Philippines,  at  the  end  of  the 
Burnham- Sobero  kidnapping  case  [ed: 
2001-2002],  the  response  of  the  Philip¬ 
pine  and  U.S.  governments  really  sort 
of  took  their  kidnapping  infrastructure 
apart  and  left  the  Abu  Sayyaf  in  some¬ 
what  of  a  shambles.  They  began  to  move 
toward  bombings  at  that  time.  But  that’s 
run  its  course  and  they’re  getting  back 
into  it,  starting  with  locals.  I  think  it’s  a 
matter  of  time  before  they  are  looking  for 
Westerners  again. 

Are  there  other  potential  threats  to 
employee  safety  in  economic  troubles? 

More  workplace  violence.  That’s  pos¬ 
sible  when  people  start  to  get  laid  off. 

One  company  in  particular  that  tried 
to  close  a  plant  in  France  failed  to  gauge 
the  impact  on  the  small  town  nearby.  Pro¬ 
testors  took  over  the  plant,  and  they  had 
to  spend  extra  money  to  retake  the  plant. 
They  could  have  headed  this  off  with  a 
little  more  thought;  maybe  commit  to 
helping  the  people  who  are  being  laid  off, 
helping  the  community  find  an  economic 
replacement  for  the  plant.  Civil  unrest 
will  likely  end  up  costing  you  more.  It’s 
more  expensive  to  do  it  over  than  to  do  it 
right  in  the  first  place. 

-D.S. 


A  Giant  Hamster 
Wheel  of  Pain” 


Chris  Hoff,  chief  security  architect  for  the  systems  and 
technology  division  at  Unisys  and  a  former  advisor  on  the  Skybox 
Security  customer  advisory  board,  on  misconceptions  about 
virtualization  and  security 


Virtualization  When  you  look  at  how  people  think  of  virtualization  and  what  it  means,  the 
definition  of  virtualization  is  either  very  narrow-that  it’s  about  server  consolidation,  virtualiz¬ 
ing  your  applications  and  operating  systems,  and  consolidating  everything  down  to  fewer  physi¬ 
cal  boxes-or,  it’s  about  any  number  of  other  elements:  client-side  desktops,  storage,  networks, 
security.  Depending  on  who  you  are  and  where  you  are,  the  definition  of  what’s  coming  in  the 
virtualization  world  means  a  lot  of  different  things  to  a  lot  of  different  people.  Then  you  add  to 
the  confusion  with  the  concept  of  cloud  computing,  which  is  being  pushed  by  Microsoft  and  a 
number  of  smaller,  emerging  companies.  You’re  left  scratching  your  head  wondering  what  this 
means  to  you  as  a  company.  You  really  have  to  frame  the  virtualization  discussion  around  three 
elements:  The  first  is  to  talk  about  securing  virtualization.  Once  you  have  multiple  virtualiza¬ 
tion  platforms,  you  have  to  look  at  what  it  does  to  your  architecture,  your  people  processes 
and  how  to  make  sure  it’s  all  secure.  Next,  the  discussion  has  to  be  about 
virtualizing  security.  The  first  was  securing  virtualization,  the  second  is 
virtualizing  security-understanding  the  impact  on  people,  process  and 
architecture.  How  do  I  take  what  i  already  have  today  and  use  what  works 
and  what  makes  sense,  and  then  understand  what  the  security  landscape 
looks  like?  The  third  thing  is  ultimately  security  through  virtualization, 
using  virtualization  to  achieve  better  security.  If  you  break  the  discus¬ 
sion  into  those  three  parts,  you’re  better  off.  All  the  discussions  need  to 
be  conducted  through  the  concept  of  what  the  business  is  and  where  the 
highest  risks  are  found.  Unless  you  understand  all  these  things,  it’s  just  a 
giant  hamster  wheel  of  pain. 

[Vendors]  are  doing  a  very  poor  job  in  offering  guidance.  The  first 
opportunity  from  a  marketing  and  sales  perspective  is  that  it’s  about  creating  buzzwords  and 
selling  new  technology.  Until  the  security  technology  is  more  integrated  as  opposed  to  bolt-on, 
the  vendors  are  just  doing  the  best  they  can  with  what  they  have,  to  suggest  they  are  relevant. 
From  a  leadership  perspective,  you  see  virtualization  vendors  at  one  end  of  the  extreme  or  the 
other-you  should  trust  this  platform,  it’s  the  most  secure,  etc.  In  a  way,  they  have  to  be  simplis¬ 
tic  because  it’s  complex  and  it’s  difficult  to  put  holistic  guidelines  around  it.  The  solution  involves 
far  more  than  bolt-on  technology.  -As  told  to  Bill  Brenner 


no  longer  e-mail,  but  Web-based,  drive-by 
downloads.”  The  explosion  of  malicious  SQL 
injection  attacks  on  trusted  websites,  com¬ 
bined  with  the  mass  creation  of  new  malicious 
websites,  mean  that  in  2008,  the  Internet  was 
more  dangerous  than  at  any  other  time  in  the 
past,  he  says. 

“Also,  many  of  the  attack-in-depth  attacks 
being  deployed  from  these  sites  don’t  just 
target  vulnerabilities  in  the  operating  system 
or  the  browser  but,  increasingly,  they  target 
vulnerabilities  in  browser  plug-ins  and  add¬ 
ons,  which  people  rarely  update,"  he  says. 

Andrew  Storms,  director  of  security  opera¬ 
tions  at  nCircle  Network  Security,  is  more  con¬ 
vinced  that  bigger  phone-based  threats  are 


around  the  corner.  One  of  the  biggest  shifts 
in  the  threat  landscape  is  the  proliferation  of 
iPhones  and  BlackBerrys-devices  that  are 
already  almost  as  ubiquitous  as  laptops.  With 
Google  Android  enteringthe  scene,  he  worries 
that  the  problem  is  just  going  to  become  more 
complex. 

“The  IT  and  security  teams  have  no  eyes 
or  ears  for  these  devices,"  he  says.  “Already, 
security  professionals  are  struggling  to  keep 
their  customers  productive  in  an  environment 
where  gadget  makers  have  failed  to  keep  up 
with  the  fast-moving  security  threatscape. 

IT  teams  would  like  to  treat  these  devices  as 
laptops  but  many  of  the  tools  don’t  translate 
directly  to  smart  phones.” 


Sensitive  corporate  data  on  smart  phones 
wiii  probably  draw  only  a  small  number  of 
very  targeted  attacks;  but  it  only  makes  sense 
that  security  pros  expect  attack  trends  on 
mobile  devices  to  mirror  trends  for  all  other 
computing  environments,  he  says.  Ultimately, 
the  biggest  threats  will  probably  be  targeted 
at  the  treasure  trove  of  personal  information 
stored  on  a  smartphone. 

“No  one  should  be  surprised  if  we  see  the 
first  major  threat  of  the  migration  of  botnets 
to  mobile  platforms,”  Storms  says.  “Some 
smart  phones  already  have  more  memory  and 
higher  processing  power  than  laptops  from 
just  a  few  years  ago.” 

-B.B. 
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Whit  Diffie: 
Keys  to 
Relevance 

The  crypto-pioneer 
on  developments  in 
encryption  and  PK1 

PKI  In  the  1970s,  Whitfield  Diffie  cowrote 
the  recipe  for  one  of  today’s  most  widely 
used  security  algorithms  in  a  paper  called, 
“New  Directions  in  Cryptography”.  The 
paper  was  a  blueprint  of  what  came  to  be 
known  as  the  Diffie-Hellman  key  exchange, 
a  seismic  advancement  in  public  key  infra¬ 
structure  (PKI)  technology  that  makes 
secure  online  transactions  possible.  It’s 
part  of  such  popul  ar  protocols  as  the  secure 
sockets  layer  (SSL)  and  secure  shell  (SSH). 

But  much  has  happened  in  the  world 
of  security  since  then.  Does  the  old  recipe 
hold  up  in  today’s  environment? 

C50:  The  tech  landscape  has  changed 
considerably  since  the  advent  of  PKI.  Does 
it  still  hold  up  in  today’s  environment?  If  so, 
explain  where  it  continues  to  do  good. 

Whit  Diffie:  Cryptographic  algorithms 
are  far  and  away  the  best- cooked  and  most 
successful  part  of  information  security.  If 
breaking  into  websites,  stealing  identi¬ 
ties  or  subverting  critical  infrastructure 
required  breaking  AES  or  elliptic-curve 
cryptosystems,  we  would  not  be  complain¬ 
ing  about  cybersecurity.  Public  key  cryp¬ 
tography  still  seems  to  be  the  best-known 
solution  for  moving  credentials  in  unpro¬ 
tected  environments.  Why  is  public  infra¬ 
structure  not  more  successful?  One  answer 
is  that  it  is  very  successful.  SSL  appears  to 
be  the  most  widely  deployed  cryptography- 
based  security  mechanism  of  all  time. 

If  SSL  is  so  great,  why  is  e-mail,  laptop 
and  data  storage  all  so  insecure? 

Clearly,  more  broadly  applicable 
mechanisms  are  needed.  Why  are  they 
not  more  successful?  One  possibility  is 
that  it  is  a  capital  and  marketing  develop¬ 
ment  problem.  Keying  infrastructure  is 
like  any  communications  phenomenon: 
The  more  people  who  have  telephones, 
the  more  valuable  each  individual  phone 
becomes.  As  long  as  only  a  small  amount  of 
peer-to-peer  PKI  is  installed,  there  is  little 


motivation  for  any  individual  user  to  install 
it.  This  problem  is  aggravated  by  another: 
Competing  providers  and  standards  frag¬ 
ment  the  market  and  dilute  interoperability'. 
More  important,  however,  is  the  problem  of 
implementation. 

IPSec  and  e-mail  encrypters  are  imple¬ 
mented  within  existing  insecure  computer 
systems.  This  burdens  the  PKI  with  cum¬ 
bersome  lists  of  compromised  keys.  Such 
success  as  we  have  had  with  PKI-based 
security  is  often  under  attack  from  network 
providers.  Most  VPN  users  have  had  the 
experience  of  trying  to  communicate  secu¬ 
rity  with  their  corporate  networks,  only  to 
find  that  the  conference  center,  university 
or  even  hotel  at  which  they  are  located 
blocks  the  IPSec  port. 

In  the  bigger  picture,  can  you  point  to 
a  technological  development  in  the  last 
five  years  that  will  dramatically  alter  the 
shape  of  cryptography  going  forward-in 
other  words,  a  development  that  is  forcing 
a  change  in  how  we’ve  approached  cryptog¬ 
raphy  in  recent  decades? 

For  the  long  run,  it  would  be  the  2005 


announcement  of  cryptographic  Suite  B, 
a  set  of  public  algorithms  (mostly  federal 
standards)  certified  for  protection  of  all 
levels  of  classified  information.  If  Suite  B 
has  as  much  impact  on  worldwide  crypto¬ 
graphic  practice  as  DES  [the  Data  Encryp¬ 
tion  Standard]  did,  we  can  expect  a  big 
improvement  in  the  security  and  interop¬ 
erability  of  cryptographic  security  systems 
worldwide. 

How  does  Sun’s  current  strategy  fit  in 
with  the  future  direction  of  cryptography? 

OpenSolaris  supports  a  cryptographic 
framework  that  provides  uniform  crypto¬ 
graphic  services  to  both  kernel  and  user 
processes.  The  multithreaded  Niagara 
processor  devotes  one  of  the  eight  cores 
on  each  chip  to  cryptographic  services, 
implementing  conventional  and  public-key 
cryptography,  and  supporting  all  the  Suite 
B  algorithms.  The  SPARC  instruction  set 
has  been  augmented  with  instructions  that 
support  the  older  (modular- arithmetic- 
based)  public-key  cryptography,  elliptic 
curve  cryptography  and  symmetric  cryp¬ 
tography.  -B.B. 
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I  WHAT  HAPPENS  NEXT? 


Reality  Check 

Steve  Hunt  says  vendors  and  system 
integrators  alike  must  connect  with  the  end-user 

Physical  Security  Security  industry  consultant  Steve  Hunt  is  a 
self-described  rabble  rouser.  Hunt,  who  runs  advisory  firm  Hunt  Busi¬ 
ness  Intelligence,  has  become  a  central  figure  in  discussion  about  the 
interplay  of  physical  and  IT  security. 

On  his  site,  Securitydreamer.com,  Hunt  posted  a  criticism  of  the 
physical  security  industry  for  a  lack  of  innovation.  He  spoke  with  CSO 
about  the  feedback  he  received  on  his  comments. 

CSO:  You  said  your  post  criticizing  large  physical  security  com¬ 
panies  was  very  popular.  Can  you  give  us  a  synopsis  of  the  post? 

Steve  Hunt:  The  physical  security  industry  is  often  characterized 
as  an  “old-boys”  network.  It’s  an  industry,  in  general,  that  is  not  used  to 
public  critique  or  criticism.  There  has  been  no  Gartner  group,  no  Con¬ 
sumer  Reports  magazine,  to  help  customers  and  serve  as  their  advocate. 
That  means  that  the  large  companies  have  been  able  to  develop  sales 
channels  that  are  sometimes  impersonal. 

These  sales  channels  lock-in  customers  and  don't  allow  for  a  lot  of 
freedom  or  flexibility  to  build  a  best-of-breed  solution.  If  you  are  going 
to  do  business  with  Honeywell  or  Tyco,  you  pretty  much  have  to  do  all  of 
your  business  with  Honeywell  or  Tyco.  It’s  not  just  because  Honeywell 
and  Tyco  have  a  large  number  of  products  they  want  to  sell  you,  but 
their  sales  channel  has  an  incentive  to  lock  you  in.  If  a  customer  tries  to 
add  non-Honeywell  or  non-Tyco  products  to  the  mix  on  their  own,  the 
big  companies  can  actually  fight  them  legally  or  pull  out  their  products. 

I  asked  a  senior  executive  at  one  of  these  large  companies,  ‘When 
was  the  last  time  you  had  lunch  with  one  of  the  end  users  of  your  prod¬ 
ucts?’  And  he  said,  ‘Lunch  with  an  end  user?  I  don’t  think  I  ever  have.’ 

He  argued  that  his  customers  are  the  distributors.  And  their  custom¬ 
ers  are  the  integrators.  And  their  customers  are  dealers  and  end  users. 
Big  companies  are  pretty  far  removed  from  end  users. 

In  IT,  we  know  about  dealers,  we  know  about  integrators.  But  in  IT, 
an  end  user  always  feels  they  have  some  recourse  with  the  manu¬ 
facturer.  An  end  user  can  always  call  Symantec  and  complain,  or  call 
Microsoft  and  complain.  But  in  physical  security,  there  is  no  channel  of 
communication,  no  way  to  do  that. 

What  kind  of  comments  did  you  get  in  response  to  your  post? 

Folks  who  agreed  most  loudly  were  obviously  the  end  users.  But  I 
got  feedback  from  surprising  sources:  consultants  and  integrators.  They 
actually  said,  ‘It  almost  sounds  like  you  are  blaming  us  for  perpetuating 
this  model  when  all  we  are  trying  to  do  is  make  a  buck.’ 


But  I  am  kind  of  blaming  them,  the  consultants  and  integrators. 
Consultants  specify  what  they  know.  And  what  do  they  know?  They  know 
the  products  of  the  big  companies.  Why?  Because  the  big  companies 
send  them  on  these  boondoggle  training  programs  to  fancy  resorts 
and  hotels,  give  them  formal  training  in  the  product  and  so-called 
sample  specification  sheets.  The  sheets  say,  ‘If  you  ever  come  across  an 
access  control  or  video  surveillance  deployment  like  this,  here’s  how 
you  should  specify  it.’  And  it  gives  a  cut-and-paste  from  the  Siemens 
catalogue  or  the  Bosch  catalogue  for  consultants  to  use  without  using 
much  creativity. 

And  the  integrators,  they  face  a  different  challenge.  They,  for  the 
most  part,  do  not  sell  in  the  sense  that  IT  integrators  sell.  IT  integrators 
are  more  inclined  to  listen  to  needs  of  a  customer  and  perform  what  I 
call  a  ‘consultative  sale’  that  includes  listening  and  creative  problem¬ 
solving.  In  physical  security,  it’s  rare  to  find  that.  Most  integrators  are 
order  takers.  ‘How  many  cameras  do  you  need?  OK,  we’ll  ship  them  on 
Thursday  and  screw  them  into  the  wall.’  That’s  about  it. 

Where  do  you  think  the  physical  security  industry  is  headed? 
Will  these  practices  change? 

Physical  security  is  still  the  big  ship  that  is  slow  to  turn.  It’s  turning 
and  times  are  changing.  Things  are  getting  better,  but  it’s  still  fraught 
with  a  lot  of  tradition  that  makes  agility  in  tech  decisions  difficult. 

One  of  the  important  changes  we  are  witnessing  is  the  use  of  soft¬ 
ware  and  software  licenses.  Software  licenses  are  an  age-old  concept 
in  IT.  But  in  physical  security,  it’s  a  brand-new  concept  and  sometimes 
a  frightening  concept.  Physical  security  is  in  the  business  of  selling  and 
deploying  boxes.  Even  companies  with  names  like  ‘Software  House,’  a 
large  physical  security  brand  under  Tyco,  don’t  sell  software  licenses. 
They  sell  boxes-access  control  systems. 

Young  software  companies  are  forcing  a  change.  Why?  Because  they 
can’t  squeeze  into  the  old-boys  integrator  network.  So  they  do  what  IT 
software  companies  have  done  for  ages-sell  direct.  Then  they  hand 
the  project  off  to  local  integrators,  and  then  sign  that  integrator  up  as  a 
reseller.  That  is  the  organic  model  of  channel  development. 

The  theme  of  this  course  of  change  we  are  witnessing  is  the  realiza¬ 
tion  that  the  stuff  of  security  is  data.  The  video  images,  the  access 
control  events,  the  door  opening  events,  the  intrusion  events-those 
are  all  being  recorded  digitally,  on  hard  drives  or  on  SANs  [storage-area 
networks].  So,  while  it  might  start  out  as  analog,  it’s  recorded  digitally 
and  becomes  data. 

And  what  did  we  do  the  last  time  we  were  faced  with  millions  of  bits 
of  unstructured  data?  We  organized  it  with  computers,  software  and 
networking.  This  is  what  we  do  with  millions  of  bits  of  data.  We  use  a 
standard,  best-practice  IT  infrastructure.  And  that’s  the  revolution. 


-J.G. 


“Corporate  IT  spending  will  not  be  as  predictable  in  the  current  economy  as  it  would 
be  in  an  up  market.  But  that  does  not  change  the  pressure  on  the  enterprise  or  on 
the  IT  manager.  If  anything,  we  think  the  current  economic  crisis  increases  the 
movement  and  pressure  toward  productivity  and  toward  products  that  enhance 
that.” 

-Mark  Levine  is  a  partner  with  Core  Capital,  a  Washington,  D.C.-based  venture  capital  firm 
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I  WHAT  HAPPENS  NEXT? 


Merger  Mania? 

Frost  &  Sul  livan  analyst  Dilip  Sarangan  expects 
the  M&A  pace  in  physical  security  to  pick  up  in  2009 


CSOi  What  sectors  or  companies  in 
physical  security  markets  look  particu¬ 
larly  strong? 

Dilip  Sarangan:  Definitely  video  sur¬ 
veillance  looks  really  strong  right  now.  A 
lot  of  people  are  starting  to  understand  it’s 
not  really  ‘nice  to  have’  technology  any¬ 
more— it’s  more  of  a  ‘need  to  have.’ 

There’s  a  lot  of  market  education  on  use 
of  IP  cameras  and  complete  IP  systems. 
People  are  starting  to  understand  the  value 
of  IP  instead  of  analog.  Now  the  challenge 
is  making  the  systems  integrators  under¬ 
stand  that. 

The  physical  security  guys  need  to 
understand  how  IT  systems  work:  net¬ 
works,  bandwidth  issues.  There  are  a  lot 
of  vendors  trying  to  educate  those  guys 
so  they  can  get  an  additional  channel  for 
sales.  But  right  now,  most  of  the  IP  sales 
are  going  through  the  IT  integrators. 

Do  most  traditional  analog  CCTV  ven¬ 
dors  now  have  an  IP  offering? 

Most  are  starting  to  get  there,  devel¬ 
oping  their  own  lines  of  IP  cameras  and 
management  software.  They’re  still  a  few' 
leagues  behind,  but  it  will  be  a  couple  of 
years  before  they  catch  up  to  Axis  or  Sony 
or  Panasonic. 

Plus  now,  even  within  the  IP  camera 
market,  a  lot  people  are  interested  in  going 
with  the  megapixel  and  multimegapixel 
systems.  The  standard-resolution  IP  cam¬ 
eras  are  no  better  than  the  analog  cameras. 
You  need  to  take  advantage  of  the  digital 
zoom  functions.  I  think  that  time’s  up  for 
the  analog  zoom. 

So  the  big  opportunities  there  are  not 
just  the  cameras,  but  guys  that  sell  SAN, 
NAS,  all  the  IT  storage  technologies.  You’ll 
see  the  EMCs  and  Seagates  playing  a  big¬ 
ger  role.  HP,  IBM— all  these  guys  are  going 
to  start  focusing  more  on  this  market. 

What’s  strong  outside  of  video 
technologies? 

I  think  everything  is  moving  toward  IT, 
even  access  control.  You’ve  got  a  few  com¬ 
panies  that  are  focusing  on  putting  access 
control  systems  on  the  network  to  enable 


convergence,  integration.  That’s  gaining 
a  bit  more  traction.  It’s  a  little  behind  the 
video  surveillance;  more  people  understand 
the  video  part  but  don’t  yet  completely  see 
the  value  in  the  access  control  part. 

What  about  IPO  and  M&A  activity  next 
year? 

The  market  is  just  too  volatile.  If  it  was 
me,  I  would  hold  off  on  doing  an  IPO. 

But  for  the  most  part,  it’s  a  very  private 
industry.  You  have  five  to  ten  large  compa¬ 
nies  that  are  divisions  of  huge  conglomer¬ 
ates;  mostly,  though,  it’s  smaller,  privately 
held  companies  looking  to  develop  tech¬ 
nology  and  then  sell  to  a  larger  competitor. 
So  you’re  going  to  see  more  M&A  activity 
for  sure.  The  big  guys  like  Honeywell,  Tyco, 
GE,  even  UTC  are  always  buying,  always 
interested.  Over  the  last  few  years,  Cisco 
has  bought  some  companies;  EMC  is  start¬ 
ing  to  get  active.  IBM  has  been  quiet,  but  I 
have  a  feeling  that  will  change.  Not  to  build 
out  their  portfolio,  but  just  in  order  to  have 
new  sources  of  revenue. 

Look  at  it  this  way:  Cisco  has  bought 
in.  Access  control  is  a  bit  of  a  stretch  for 
them,  video  is  a  bit  of  a  stretch  for  them, 
but  everything  is  going  IP  and  they  want  to 
sell  more  routers,  more  switches.  For  IBM, 
it’s  just  an  extra  avenue  for  selling  services 
and  software.  So  it  just  makes  sense  to  get 
in  and  make  money  off  of  it. 

I’m  surprised  that  IBM  has  been  this 
quiet  this  long.  Next  year  I  have  a  feeling 
they  will  acquire  some  companies.  We’re 
going  to  see  a  lot  of  companies  offer  a  lot  of 
different  managed  services.  They’re  defi¬ 
nitely  going  that  route. 

And  I  think  a  lot  of  these  companies 
have  a  lot  of  technologies  that  can  be  used 
as  business  intelligence,  not  just  security. 
To  integrate  our  HR  function,  our  business 
intelligence,  our  marketing  together— that 
would  be  the  ideal  scenario.  That’s  why  I 
see  IBM,  Cisco  and  EMC  ready  to  make 
plays— it’s  added  value  and  they  can  sell 
more  services.  Who  better  to  explain  the 
network  [impact]  than  Cisco?  Who  better 
to  explain  the  storage  than  EMC?  -D.S. 


A  Lens  on  Video 


Joe  Freeman  says 
surveillance  technology 
spending  may  slide  in  2009 

Surveillance  Because  of  the  current 
global  financial  crisis,  investment  in 
video  in  the  near-term  may  decline  next 
year.  Cuts  will  need  to  be  made.  I  predict 
video  spending  will  be  down  five  percent 
next  year,  and  then  another  two  percent 
in  2010  from  2009  levels.  I  don’t  think  we 
will  see  video  spending  return  to  a  nor¬ 
mal  growth  rate  until  2011. 

However,  video  will  be  used  in  the 
long-term  for  more  than  just  security. 
Within  a  security  context,  video  will  be 
used  increasingly.  But  security  video  is 
going  to  be  used  for  nonsecurity  observa¬ 
tion  and  risk  surveillance  in  the  future. 

For  example,  video  is  already  being 
used  in  the  auto  industry  for  painting 
vehicles.  It  is  used  to  determine  if  the 
paint  is  finished  correctly  and  to  measure 
pixelization.  In  other  manufacturing  pro¬ 
cesses,  video  is  used  to  determine  quality 
control:  Is  the  product  being  handled 
correctly  by  people  on  the  production 
line?  Also,  food  handling  in  restaurants 
has  been  examined  using  video. 

In  the  future,  video  will  be  increas¬ 
ingly  used  for  infrastructure  programs, 
such  as  videoing  the  condition  of  rail¬ 
road  tracks  or  observing  the  way  a  bridge 
flexes  when  traffic  flows  over  it.  To  pre¬ 
vent  collapse,  it  can  be  used  to  determine 
ifit  is  deteriorating.  Video  will  be  used  in 
the  observation  of  tunnels.  Are  the  tiles 
leaking?  Is  there  too  much  traffic?  What 
is  the  pollution  level?  And  video  will  be 
applied  to  the  protection  of  reservoir  sys¬ 
tems  in  America. 

-As  told  to  Joan  Goodchild 
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“A  Comprehensive  Approach 
to  Information” 

Kuala  O’Connor  Kelly,  GE’s  privacy  chief,  says  CPO  and  CSO  cooperation  is  paramount 


Privacy  I  started  in  the  company  three 
years  ago  as  chief  privacy  leader  and  senior 
counsel  for  privacy  and  data.  Over  the  course 
of  the  last  year,  we  have  congealed  a  vision 
around  information  governance;  issues  such 
as  information  management  and  data  strategy. 
The  new  vision  reflects  a  change  in  the  CPO 
role  to  a  more  holistic  approach  to  data. 

There  is  a  long-running  debate  about 
whether  the  CPO  role  belongs  in  legal,  IT  or 
in  risk  or  compliance.  I  wouldn’t  say  we’ve 
settled  all  of  the  structural  issues,  but  in  terms 
of  what  information  governance  is,  it’s  about 
how  we  create  information,  how  we  keep 
it  safe  and  secure  and  accessible  during  its 
lifecycle,  and  how  we  thoughtfully  dispose  of 
it.  So  we’ve  brought  in  document  management 
and  data  lifecycle,  data  retention,  e-discovery 
and  a  whole  bunch  of  other  disciplines,  under 
the  information  governance  umbrella. 

Now  I  lead  information  governance  in 
legal  and  the  information  governance  council, 
which  is  half  legal  and  half  IT.  I’ve  partnered 
with  a  team  from  the  office  of  the  CISO,  Grady 
Summers,  as  well  as  with  the  CTO.  The  idea 
is  to  create  a  multidisciplinary  approach  to 
data  and  both  operationalize  it  and  create  a 
sustainable  policy  on  the  IT  side. 

It  was  driven  by  data  breach  security  laws. 
We  had  to  respond  quickly  to  data  security 
issues  and  to  the  increasing  amount  of  regula¬ 
tion  in  that  area. 

The  other  real  drivers  are  the  changing 
workforce  and  the  changing  expectations  of 
today’s  workforce.  We  have  13,000  GE  employ¬ 
ees  who  are  self-identified  on  Facebook  as  GE 
employees,  sometimes  usingtheir  GE  e-mail 
address  and  putting  up  GE  monograms  to 


create  discussion  groups  and  so  forth.  This 
is  happening  whether  we  like  it  or  not.  Our 
employees  are  voting  with  their  feet  about 
what  kind  of  collaborative  networking  tools 
they  will  use,  and  this  presents  some  real  legal 
and  organizational  challenges. 

To  me,  privacy  has  always  been  a  very 
reactive  and  negative  term  in  corporate 
America.  I  like  information  governance 
because  it’s  about  creating  good  rules  and 
policies  and  structures  that  allow  us  to  get 
our  jobs  done.  It  helps  our  employees  find 
data  and  information  resources,  and  creates 
a  good  lens  though  which  we  judge  how  our 
information  is  touching  sales  products  as  well. 


We  have  a  huge  healthcare  IT  division,  a  huge 
security  IT  division  and  a  whole  bunch  of  folks 
doing  product  offerings  in  this  area. 

It’s  a  recognition  that  in  the  information 
age,  information  is  one  of  biggest  assets  to 
any  institution.  And  it  needs  to  be  dealt  with 
in  a  very  holistic  approach.  It  requires  a  soup- 
to-nuts  approach  about  both  physical  and 
technological  protection  around  information, 
education  of  our  employees  and  all  the  aspects 
of  good  data  management  in  a  security  pro¬ 
gram,  including  how  long  this  stuff  is  kept. 

How  long  information  is  kept  is  typically  a 
back-room  function  of  document  managers. 
But  it  is  actually  incredibly  important  when 
you  look  at  the  cost  of  keeping  things,  both 
electronically  and  on  paper. 

I  think  it’s  actually  a  great  growth  oppor¬ 
tunity  for  folks  who  have  been  toiling  away  in 
the  shadows  to  elevate  their  role  and  also  find 
some  synergies  in  folks  across  the  room,  both 
in  IT  and  legal. 

Here,  I  think  we’ve  found  great  strength 
in  numbers.  Folks  are  flocking  to  our  vision 
of  a  comprehensive  approach  to  information. 
We’re  doing  a  lot  of  projects  around  federated 
search,  data  cleanup,  some  real  basic  human 
factors.  Our  end-state  vision  is  a  collab¬ 
orative  work  space;  a  collaborative,  online, 
real-time,  global  environment  where  GE 
employees,  wherever  they  are,  can  get  to  the 
right  information  at  the  right  time.  Obviously 
access  control  and  data  control  around  who 
gets  to  what  container  is  important,  but  also 
important  is  the  reduction  of  time  to  get  to  the 
right  data  point,  as  well  as  expulsion  of  useless 
information. 

-As  told  to  Joan  Goodchild 


“The  most  urgent  need  right  now  is  for  companies  to  reconsider  what  their  appetite  for 
risk  is  in  light  of  the  huge  changes  that  have  gone  on  in  the  external  environment.  For 


companies  that  are  strongest  in  their  space,  this  might  be  a  good  time  to  take  more  risk. 
Other  companies  that  are  borderline,  or  are  potentially  on  the  verge  or  major  problems, 


might  really  need  to  dial  down  risk-taking  activities  to  stabilize  the  organization.9 


uccu  iu  uuu  uuwu  i  ian'uuuug  twuvmca  iu  aiauiiuc  uic  ui  gaiiuauvu. 

-Mark  Carey  is  a  Partner  in  the  Deloitte  &  Touche  Governance  and  Risk  Oversight  practice. 
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I  WHAT  HAPPENS  NEXT? 


Federal  Notification  Law  Unlikely 


Most  states  now  have  a 
breach  law  on  the  books.  Why 
hasn’t  Congress  replaced 
this  patchwork  quilt? 

Breach  Legislation  Forty-four  states 
now  have  formal  notification  requirements 
for  companies  in  the  event  that  sensitive 
information  is  compromised.  Despite  the 
groundswell  of  interest  in  the  issue  on  the 
state  level,  there  is  currently  no  similar  fed¬ 
eral  law.  Chris  Wolf,  a  Washington,  D.C.- 
based  attorney  with  Proskauer  Rose  and 
chair  of  its  privacy  and  security  practice 
group,  says  that  won’t  change  soon. 

CSO:  When  do  you  expect  to  see  a  federal 
breach  law? 

Chris  Wolf:  I  don’t  think  you  will  see  a 
federal  law  come  out  of  the  next  session  of 
Congress,  given  the  nation’s  current  priori¬ 
ties  and  the  difficulties  Congress  has  had 
considering  bills  for  a  federal  breach  law  in 
the  past.  A  lot  of  businesses  want  to  have 
a  very  high  threshold  for  notification  that 
gives  them  a  lot  of  discretion  on  when  to 
notify.  And  many  consumer  groups  think 
too  much  discretion  will  mean  not  enough 
notice  is  given.  So  the  issue  is  deadlocked. 

Given  the  high-profile  nature  of  a  num¬ 
ber  of  breaches,  such  as  the  TJX  incident, 
aren’t  people  demanding  a  federal  law? 

Consumers  are  not  left  unprotected  with 
the  current  state  of  affairs,  and  it  takes  the 
pressure  off  of  Congress  to  create  a  legisla¬ 
tive  remedy.  But  it  is  very  difficult  to  comply 


with  this  patchwork  quilt  of  laws. 

Because  of  the  individual  lawrs  in  so 
many  states,  people  are  being  notified. 
Many  of  the  laws  require  companies  to 
comply  with  the  law  for  each  state  in  which 
a  client  resides.  So,  if  a  company  has  data  on 
people  from  several  states,  there  is  going  to 
be  nationwide  notice. 

There  are  certain  federal  breach 
requirements  for  financial  institutions  that 
are  under  federal  supervision— for  instance 
all  banks,  broker  dealers  and  other  invest¬ 
ment  companies. 

You  mention  the  compliance  difficulty. 

The  triggers  for  notification  vary  from 
state  to  state.  And  now  even  the  content  of 
letters  that  go  out  varies 
from  state  to  state.  If  a  com¬ 
pany  finds  they  have  data 
that  has  been  compromised 
on  someone  from  Massa¬ 
chusetts  and  also  someone 
from  Maryland,  they  have 
to  send  out  separate  letters 
within  different  content. 

There  is  also  the  issue  of 
notifying  the  appropriate 
regulators  because  each 
state  has  laws  of  notification  obligation  with 
respect  to  regulators.  It’s  very  complicated 
to  navigate  the  maze. 

One  example  of  how  unreasonable 
these  laws  can  be  is  the  2007  case  of  CS 
Stars,  a  Chicago-based  claims  management 
company.  The  New  York  attorney  general 


said  waiting  seven  weeks  to  notify  clients 
about  a  breach  when  a  computer  went 
missing  was  unreasonable,  and  a  fine  was 
imposed.  In  that  case,  the  computer  was 
recovered  and  a  forensic  investigation  was 
done.  It  turns  out  no  one  ever  accessed  the 
computer.  So  there  was  really  no  harm,  and 
the  breach  was  remedied  by  the  recovery  of 
data.  But  this  business  was  fined  for  what 
was  perceived  to  be  an  excessive  delay. 

Many  of  the  state  regulators  who  are 
focusing  on  this  are  focused  on  the  chrono¬ 
logical  amo  unt  of  time  between  breach  and 
notice.  I’m  not  sure  they  have  a  sufficient 
amount  of  knowledge  of  what  is  involved 
when  a  company  needs  to  get  its  arms 
around  a  breach.  Before  a 
company  can  notify,  they 
need  to  find  out  who  has 
been  affected  and  what  has 
been  exposed.  It  is  better  to 
have  an  accurate  notice  than 
to  cry  wolf. 

Businesses  need  to  be 
ready  in  advance  of  a  breach 
to  know  what  needs  to  be 
done.  Who  is  going  to  be 
responsible?  Who’s  going 
to  do  what?  This  is  necessary  to  avoid  the 
regulator  scrutiny  that  has  occurred  in 
past  cases.  If  I  were  going  to  give  one  piece 
of  advice  to  businesses,  it’s  get  ready  in 
advance  for  a  breach  because  it  is  more  than 
likely  it’s  going  to  happen  to  you. 

-J.G. 


7 Infosec 
Trends 
for 2009 

Rich  Mogul!  former 
Gartner  analyst  and  founder 
of  security  consultancy 
Securosis,  outlines  information 
security  predictions 


1  Shrinking  security  budgets.  Even  if  the 
economy  miraculously  recovers  this  year, 
companies  will  still  be  tightening  the  belt  for 
all  of  2009.  Security  won’t  see  major  cuts,  but 
will  see  the  usual  cost-containment  pressure, 
even  in  organizations  with  budget  increases. 
Anything  not  related  to  a  mandated  compliance 
requirement,  obvious  threat  prevention  or  clear 
cost-cutting  or  reduced  TCO  will  likely  be  put  off 
until  next  year  or  longer.  This  includes  non-PCI 
Web  application  security,  most  information¬ 
centric  or  data  security  (other  than  compliance- 
driven),  virtualization  security  and  most  of  the 
remaining  things  that  people  will  predict  are  hot 
technologies. 


2  Party’s  over  for  security  vendors. 

Vendors  can  no  longer  do  an  IPO 
[initial  public  offering],  and  many  investors 
aren’t  willing  to  fund  indefinitely  unprofitable 
ventures.  This  leaves  startups  four  options: 
Become  profitable,  convince  investors  to  keep 
up  funding,  get  acquired  or  shut  down.  We’re 
already  seeing  good  companies  sell  for  very 
little  investment  return  (Reconnex/Biue  Lane), 
and  this  will  only  get  worse.  It  will  be  a  field 
day  for  acquiring  companies  as  they  wait  for 
desperation,  in  markets  where  there  are  fewer 
targets  than  potential  acquirers,  the  early  bird 
will  get  the  worm  and  we’ll  tend  to  see  one 

Continued  on  Page  38 
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I  WHAT  HAPPENS  NEXT 


Leadership  in 
Uncertain  Times 

Leadership  Consultant  and  author  Patrick 
Lencioni  first  spoke  with  CSO  in  our  early  days, 
answering  leadership  questions  from  John  Hart¬ 
mann,  then  CSO  of  Cardinal  Health.  Leadership 
lessons  are  often  evergreen,  but  which  principles 
would  he  emphasize  for  2009,  with  the  U.S. 
economy  in  chaos? 

As  always,  Lencioni’s  thoughts  are  clear  and  to 
the  point. 

CSO:  What  principles  of  leadership  (and 
management)  become  even  more  important 
given  the  current  economic  situation? 

Patrick  Lencioni:  I  think  that  more  than  ever, 
leaders  and  managers  need  to  be  very  clear 
about  their  goals  and  expectations  for  their 
organizations  and  communicate  often  with  their 
employees.  I’d  even  say  they  should  over-commu¬ 
nicate  if  they  have  to.  I  tell  my  clients  that  employ¬ 
ees  need  to  hear  messages  up  to  seven  times 
before  they  really  absorb  them.  In  this  environ¬ 
ment,  over-communication  is  more  critical  than 
ever.  Leaders  also  need  to  make  sure  employees 
understand  how  their  jobs  matter  to  the  organiza¬ 
tion  and  how  to  measure  their  own  success. 

As  for  our  personal  lives,  the  current  financial 
situation  reminds  us  that  now  is  a  great  time  to 
hunker  down  and  focus  on  what  matters  most  to 
you.  Take  some  time  to  sit  down  with  your  spouse 
and  discuss  short-  and  long-term  goals,  financial 
and  otherwise. 

Security  is  often  characterized  as  a  reac¬ 
tive  profession.  While  there  will  always  be  a 


requirement  to  respond  to  unexpected  events, 
what  strategies  or  personal  characteristics 
might  security  leaders  develop  to  emphasize 
foresight? 

In  my  book  S/'/os,  Politics  and  Turf  Wars,  I  talk 
about  the  importance  of  having  a  rallying  cry  or 
thematic  goal. 

In  emergency  situations,  thematic  goals 
become  obvious.  For  example,  when  a  patient  in 
critical  condition  comes  into  an  emergency  room, 
the  goal  (to  save  them)  is  clear.  Or  when  a  build¬ 
ing  is  on  fire,  the  goai  (to  put  the  fire  out  and  save 
people)  is  clear. 

When  there  isn’t  a  current  emergency,  it  is 
helpful  for  the  leader  to  determine  a  proactive 
goal  for  his  or  her  entire  staff  to  rally  around. 

-D.S. 


Continued  from  Page  36 

higher-multiple  deal  per  market  as  a  few  buyers 
join  the  party  late  and  have  to  fight  it  out  for  the 
last  ugiy  date. 

The  Big  One  unlikely.  Someone  will 
predict  an  earth-shattering  SCADA  or 
cyber-terrorist  attack.  It  won’t  happen.  Unless 
it  does. 

Database  security  market  col¬ 
lapse.  The  independent  database 
security  market  will  start  to  collapse  and  we’ll 
see  multiple  low-value  acquisitions  (in  terms  of 
price).  This  is  for  market/economic/business 
reasons,  despite  the  tools  providing  immense 
value  to  those  using  them. 
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DLP  goes  mainstream.  In  late  2009, 
data  loss  prevention  will  finally  go 
early  mainstream  due  to  the  push  from  the 
big  vendors.  Content  discovery  will  drive  more 
deals  than  network  monitoring,  and  will  provide 
more  value  to  most  users. 

Silver  lining  in  the  cloud.  People 
will  realize  that  there  are  only  a  few 
areas  of  the  cloud  that  provide  value,  and  those 
services  will  grow  well  and  actually  improve 
enterprise  security.  They  are  e-maii  security, 
Web  filtering,  Web  application  vulnerability 
assessments  and  pen  testing;  and  DDoS  [distrib¬ 
uted  denial  of  service]  protection. 


7  The  PCI  effect.  PCI  will  drive  Web 
application  firewall  (WAF)  sales,  but 
customers  will  still  be  dissatisfied  with  their 
performance.  Next  year  will  be  an  important 
year  for  the  next  round  of  WAFs  that  are 
enhanced  with  vulnerability  assessment  and 
other  technologies  to  make  them  more  useful 
out  of  the  box. 

In  summary,  anything  not  related  to  obvious 
threat  prevention,  compliance  or  cost  cutting 
will  really  struggle  this  year.  We’ll  still  see  inno¬ 
vation,  but  in  terms  of  what  security  pros  do 
every  day,  it  will  be  very  much  like  2008,  with 
yet  more  budget  pressure. 
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[  debriefing] 

Parting  Thoughts 


We’re  headed  for  a  world  in  which  there  will  be 
new,  private  sheriffs  on  the  beat.  We’ll  look  back 
and  it  will  seem  insanely  risky  that  we  ran  PCs 
that  handled  security  in  an  ad  hoc  way-‘Did  we 
remember  to  update  our  antivirus?’  and  so  on. 


Facebook,  Google  apps,  new 
devices  like  the  iPhone-they  all 
point  toward  corporate,  gated 
communities  on  the  Internet, 
where  all  code  is  mediated 
through  the  gateway  and  can 
be  approved-or  not-by  the 
gatekeeper. 

This  is  not  a  model  I  favor.  It  will 
lead  to  lack  of  innovation  for  the 
whole  ecosystem,  loss  of 
control  for  the  end  user- 
the  gatekeeper  decides 
what  is  offensive. 

To  head  this  off,  we 
need  technical 
advances  that  arrange 
it  so  everybody- 
expert  or  not-can 
co  laborate  on  better 
security.” 


-JONATHAN 
Z1TTRAIN  IS 
AUTHOR  OF 
THE  FUTURE 
OF  THE 
INTERNET- 
ANDHOW 
TO  STOP  IT. 
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Get  visible  site  security  from  the  company  your  customers  trust. 
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online  security. 

Also  the  greenest. 


It’s  simple:  a  green  bar  means  your  site  is  secure.  For  your  customers,  this  means  they  can 
trust  their  Web  experience.  It’s  all  done  through  VeriSign®  Extended  Validation  (EV)  SSL 
Certificates,  which  verify  and  visually  represent  the  authenticity  and  security  of  Web  sites. 
This  protects  you  and  online  customers.  Combine  visitor  confidence  with  the  strongest 
encryption  available  to  each  site  visitor  to  maximize  your  site's  overall  security  profile. 


Get  your  free  white  paper,  The  Latest  Advancements  in  SSL  Technology, 
at  www.verisign.com/cso  or  call  1-866-893-6565  or  1-650-426-5115. 
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THINK  THE  NEXT  GENERATION  OF  MALWARE 
doesn't  have  a  headline  waiting  for  you? 


Data-stealing  malware  is  smarter,  faster  and  more  advanced  than  ever.  It's  infiltrating  the  most  secure  enterprises 
and  yours  could  be  next.  But  with  Trend  Micro™  Enterprise  Security,  powered  by  the  Trend  Micro  Smart  Protection 
Network,  you'll  be  ready.  This  unique  combination  of  solutions  and  services  is  the  next-generation,  cloud-client 
security  infrastructure  that  blocks  the  most  sophisticated  threats-before  they  reach  your  network.  Download 
our  eBook  and  learn  how  easily  Web  threats  like  data-stealing  malware  can  evade  your  current  security  solution 
and  what  you  can  do  about  it. 


►  Download  our  Outthink  the  Threat  eBook  and  register  for  a  free, 
onsite  risk  assessment  now  at  trendmicro.com/thinkagain. 
Or  contact  us  for  more  information  at  877-21-TREND  EXT.  54 
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